HHS: Guard patient information in copiersOctober 8, 2013
Digital photocopiers used in health care practices to make copies of insurance cards, patient identification, and patient records during referrals to other practitioners may be a source of privacy violations. The U.S. Department of Health & Human Services (HHS) warns that while digital copiers may be fast, efficient and relatively inexpensive, they can pose a potential risk to the privacy of patient health information.
In the first case of its kind, Affinity Health Plan, Inc., a New York City not-for-profit managed care plan, announced in August it will pay the HHS more than $1.2 million to settle allegations it violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to properly protect patient information stored in a copier.
Digital copiers utilize hard drives that retain the images of the documents fed into the device, even after copying process is completed.
Many health care practitioners may not realize the copiers they use in their practices for taking insurance information, issuing care instructions or other purposes will contain federally protected patient information.
The Business Center of the Federal Trade Commission’s (FTC) Office of Consumer Protection recommends health care practitioners – as well as all other businesses – protect information stored on the hard drives of their photocopiers through encryption and overwriting. The National Institute of Standards and Technology (NIST) recommends specific procedures businesses can use to remove all stored data – or “sanitize” – digital copiers and other digital devices when the units are disposed of.
The HHS investigation of Affinity indicated it impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives.
In addition, the investigation revealed Affinity failed to incorporate the electronic protected health information stored in copier’s hard drives in its analysis of risks and vulnerabilities as required by the Security Rule and failed to implement policies and procedures when returning the hard drives to its leasing agents.
Increasing the chances for a privacy breach, health care practices, like other businesses, commonly obtain digital copiers through lease arrangements, meaning the copier at some point will be returned to the vendor.
Federal officials consider health information to be unsecured if it has not been encrypted to render it unreadable to unauthorized parties.
While good electronic health records systems should provide encryption, and encryption programs are available for office computers, digital copiers will not encrypt information stored in their hard drives, the AOA Office of Counsel notes.
Photocopiers are just one of many digital devices – such as laptop computers, cell phones and digital personal organizers – commonly found in health care practices that may contain electronic protected health information and may pose a potential for a privacy breach if lost, stolen, sold, discarded or even repaired.
Practitioners should take steps to protect any information stored on those devices, in line with HIPAA regulations, just as they would information stored on their office computers.
Guidance on safeguarding sensitive data stored in the hard drives of digital copiers or in other digital devices is available from several resources, including:
- Copier Data Security: A Guide for Businesses – FTC guidance on encryption, overwriting and other steps to secure digital copier used in office settings against security breach. http://business.ftc. gov/documents/bus43-copier-data-security.
- National Institute of Standards and Technology Guidelines for Media Sanitization – Available at http://tinyurl.com/mmxuolh. The HHS offers free training on compliance with the HIPAA Privacy and Security Rules for continuing medical education credit at www.medscape.org/sites/advances/patients-rights.
- The HHS Resolution Agreement and CAP at http://tinyurl.com/kg6vkoj.