All healthcare businesses handling ePHI should conduct a risk analysis which includes copiers/printers along with all other computing devices. Most of the time these copiers are leased on a yearly basis and replaced every couple of years with a new model. The old model is returned to the leasing company who may re-lease or sell the machine to another organization. Your healthcare organization should have security policies that cover the use of printers/copiers to protect ePHI on the hard drives. Policies should cover the security of the ePHI on the printer while it is in use as well as when the copier is replaced. It is extremely important that the ePHI on the hard drives in these machines be destroyed and a certificate of destruction obtained when you decide to replace the machine. Check with the equipment manufacturer or the leasing company if they offer data destruction services. Data destruction services are also offered by independent servicing companies who will securely dispose the ePHI and issue a destruction certificate.
This recent settlement is a prime example of what can happen if ePHI is left unprotected on hard drivers in photocopiers. http://www.hhs.gov/news/press/2013pres/08/20130814a.html
“Under a settlement with the U.S. Department of Health and Human Services (HHS), Affinity Health Plan, Inc. will settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780. OCR’s investigation indicated that Affinity impermissibly disclosed the protected health information of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives. In addition, the investigation revealed that Affinity failed to incorporate the electronic protected health information stored in copier’s hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the hard drives to its leasing agents.”
Check out the following links/resources for more information on safeguarding sensitive data stored on the hard drives of digital copiers:
- Copier Data Security: A Guide for Businesses: http://business.ftc.gov/documents/bus43-copier-data-security.
- The National Institute of Standards and Technology has issued guidance on media sanitation: http://csrc.nist.gov/publications/drafts/800-88-rev1/sp800_88_r1_draft.pdf.