HIPAA was passed 20 years ago this year. It's only in the past two years that guidance on digital copiers and other office equipment has been included within the regulation.
Both the risk and the cost of data breaches in the healthcare industry are going up. Technological advances are providing valuable case-wide "interoperability" while also creating much higher risks of losses and breaches. Evolving healthcare information security regulations are creating duties for a broader scope of healthcare enterprises. At the center of the two are the health IT experts who must ensure both document security and easy accessibility by authorized users while protecting against an expanding and deepening pool of technological threats. Some of those threats are surprising:
One takes the shape of the innocuous office copier.
Technology Keeps Evolving
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. The Web was only starting to explode then, having started to hit the mainstream in 1989, and everyone was beginning to awaken to the Internet's commercial potential. A short 20 years later and two-thirds of the world's population access the Internet through a computer or mobile device, and our refrigerators and thermostats are hooked up to a network. All of these digital and network-connected end points, like your digital copiers, create security risks – especially for HIPAA covered entities.
Healthcare Risks Have Changed Over Time
In the 20 years since the passage of HIPAA, healthcare technology has also evolved to become both the best tool and the biggest threat to accomplishing the goals of that national healthcare agenda. Over time, as the health industry experienced painful incidents of data breaches and systems hacks, the U.S. Department of Health and Human Services issued new rules to address those failures and (hopefully) prevent new ones.
One failure the agency is working to correct is the vulnerability posed to the entire medical community by the not-so-simple digital copier. In 2013, Affinity Health Plan, Inc. paid more than $1.2 million dollars in fines to close out a disciplinary case brought by the Health Department. In the action, the agency demonstrated that Affinity had failed to clean protected personal health information data from its leased office copiers when it returned those machines to the lessor. The new lessee of the copiers, CBS Television, informed Affinity that its newly leased equipment contained the personal health information of some of Affinity's clientele. Considering that millions of office copiers exist in the world, the Affinity case signaled a potentially devastating threat to document security for most, if not all, medical services providers who use copy machines. For more on this, read Why Digital Copiers Are A Security Time Bomb.
Today's Copiers Are "Workstation" Devices
To repair the gap, in 2014, the Health Department's Office of the National Coordinator for Health Information Technology identified office copiers as "workstations." By doing so, the agency added those devices (and their related functions of scanning, etc.) to the list of healthcare practice devices that are subject to the administrative, physical, and technical rules that govern the security of personal health information.
The Office of the National Coordinator for Health Information Technology is emphatic about protecting against the risks posed by copiers. The agency created a series of security risk assessment tools, which are designed to walk medical practitioners through the compliance processes. In the document related to physical safety, "Standards for Physical Safeguards Content," in reference to Standard(s) PH19 - §164.310(b) et seq., the agency underscores the significance of copiers to health data security by mentioning them 15 separate times within the general "workstation devices" body of rules.
The importance of the digital copier to the implementation of the electronic health records requirements is understandable. Prior to digital technology, all medical records were physical items, including paper records (reports, chart notes, etc.) and video and still images. Building a comprehensive electronic record requires capturing that physical data in electronic form, and copiers and their included scanners have been the tools used to accomplish those tasks.
More Compliance Complexity
Of course, adding copiers, scanners, and other office equipment to HIPAA compliance adds another layer of complexity for healthcare IT officers – or anyone responsible for HIPAA compliance in a medical practice. Not only are compliance practices now required for existing and future equipment, but there should also be a review of what happened to previously owned equipment and the data contained in those electronic files (you don't want to be another Affinity).
Copiers Are Computers
Today's copiers are sophisticated digital machines that, in many cases, act the same way as computers to connect to the digital world. Like computers, they have hard drives that store the information related to the data they process and the identification of the people who use them. Most of today's digital copiers also include encryption programming that allows operators to hide identifiable data behind passwords.
For those processes to be compliant with HIPAA and Health Information Technology for Economic and Clinical Health, or HITECH, standards, however, they must be used rigorously. Many of today's medical office staff don't use this programming because they either don't know about it or they haven't yet been trained to do so.
Copiers Also Have Tools to Search for Vulnerabilities
The good news is that the hard drives that are vulnerabilities because they contain personal health information can also track who accesses the device and the files on the device. Like any piece of technology, once you understand the weakness you can then address them. Digital copiers can help doctors offices, hospitals, clinics, etc. accomplish HIPAA compliance – WHEN intelligently included in your document security strategy.
If you haven't already, it's time for you to include your digital copiers into your HIPAA compliance strategy. You also need to include your network-connected copiers and printers into your overall security strategy too.