If someone is selling you a HIPAA-compliant copier; they're lying to you.
You can include your multifunction copiers in your HIPAA compliance efforts (and you must!), but there is no such thing as an out-of-the-box, HIPAA-compliant copier.
I've seen a few unscrupulous dealerships say that they sell compliant copiers. That's misleading, as it gives the impression that your compliance challenges can be met with a simple purchase. It's the policies and procedures your office must develop and follow when it comes to patient information – including the information that passes through your copiers – that will make you HIPAA-compliant.
HIPAA Security Rule focuses on the confidentiality, integrity, and availability of PHI. Confidentiality means that data or information is not made available or disclosed to unauthorized persons or processes. Integrity means that data or information has not been altered or destroyed in an unauthorized manner. Availability means that data or information is accessible and usable upon demand only by an authorized person.
Of course, your electronic health records and office equipment must be included in your HIPAA strategy. Here are a few tips for ensuring that you don't accidentally expose your patients' protected health information (PHI).
1. Copier Hard Drive Security
I've written specifically about multifunction copier hard drive security already. Click here to read Are Your Digital Copiers Putting Your Practice at Risk for HIPAA Non-Compliance? For at least one company, the answer to that question was yes. Affinity Health Plan did not erase information on a leased copier's drive. CBS Evening News bought the copier as part of a story about copier hard drive security and discovered confidential patient information on the drive. Affinity ultimately paid $1,215,780 for the breach.
2. Include Them in Your HIPAA-Compliance Strategy
Every healthcare provider, regardless of size, needs to be compliant. The first step is to make sure you don't ignore your copiers in compliance planning. That goes for any networked device with a hard drive that touches patient information.
3. Restrict Access
While not always feasible, physically restricting access to copiers and printers to a dedicated room is one way to ensure only authenticated users have access to the machines. At a minimum, restrict access so only your staff has access the devices.
Require user credentials at the device – password, swipe card, or even biometrics. Set up audit trails to ensure only authorized users are accessing devices. Set up an automatic log-off function as an additional safety step because users do forget to log-out.
5. No Ports in a Storm
Disable the USB ports on your copiers to prevent PHI from being downloaded to an unprotected USB stick.
6. Erase Onsite
At the end of your copier's lease or if you resell your copier, have your service partner erase and/or digital shred the hard drive or do it yourself.
7. Leave No Document Behind
When printing, scanning, faxing, and/or copying PHI all staff should remain at the device until finish – don't leave documents unattended on the devices.
8. Data Encryption
Enable data encryption on equipment that has a disk drive. The details will vary by manufacturer, for instance, Xerox products have a AES 128-bit encryption algorithm.
9. Loose Lips Sink Ships
This tip isn't related to copiers at all, but I know I've overheard nurses and doctor's office staff discuss patients. Be careful of where you discuss PHI, don't do it in front of other patients at a minimum. Be careful of hallway and waiting room conversations.
Complying with HIPAA or HITECH is hard enough. Many of the steps to stay within-bounds of HIPAA when using your office copier are simple to follow and need a simple checklist to ensure that they are followed.
Outsourcing the management of your copier print fleet to a manage print services partner is one way to help ensure that your office equipment is well managed. A good partner will work with you to ensure you save money on your printing and copying costs and can help ensure your equipment is secure as part of your compliance initiatives. Click on the image below to discover the value of managed print services.