Protected Healthcare Information
August 8, 2017
Is PHI walking out your front door?
Did you know that protected healthcare information (PHI) could be slipping out your company through your printers, copiers and fax machines? These “front doors” to PHI could cost your business millions and possibly land you in jail.
The U.S. Department of Health and Human Services classifies printers, copiers and fax machines as workstations. Because they don’t look like the standard workstation with a monitor and keyboard, they are very often overlooked as devices that capture PHI. These devices often contain hard drives to store images. That means the last copy your employee or you made or the last fax that was sent with PHI on it could very well still be stored in that device. Worse, the last 100 pages or more could be stored with PHI information.
In one case, Affinity Health Plan paid more than $1.2 million for violations of the HIPAA Privacy and Security Rules. The company disclosed the PHI of 350,000 individuals when it returned photocopiers to a leasing agent without erasing the data from the hard drives of the copiers. The Office for Civil Rights, who conducted the investigation, also discovered that Affinity did not incorporate electronic PHI stored in the copiers’ hard drives in its risk and vulnerabilities analysis.
How can you protect your business and yourself?
- Conduct a risk and vulnerabilities analysis to include printers, copiers and fax machines.
- Write security policy guidelines for wiping these devices before they leave your premise or are returned to a leasing company.
- Ask for a certificate of destruction if the machine is leased. Any reputable leasing company will be able to provide a certificate of destruction to you.
So, before discarding that old printer or taking a baseball bat to it for a team-building exercise, wipe or destroy that hard drive. You will be saving yourself potentially millions in HIPAA fines with a well-written and executed security policy. Contact us today for more information on this or other security policy topics.
Back to all Posts