Is your photocopier an unforeseen HIPAA compliance liability?

 HHS settles with health plan in photocopier breach case

Photocopiers are often overlooked as being able to retain information – especially patient health information. These devices used to be standalone picture takers, but are now multifunctional and attached to the network. Many have email and file routing capabilities – but what is often misunderstood is that they also have hard drives to increase the speed of production and functionality. These hard drives store data about the documents they copy, print, scan, fax or email. If you don’t take steps to protect this data it could be stolen either by remote access or by extracting the data once the drive is removed.

It’s common for medical practices, pharmacies and other covered entities to lease a higher production digital copier due to the purchase price. However, more often than not they are acquired and returned without any communication with an IT or Security professional. Business Associates who have responsibility in securing clinical devices and servers also should be responsible for securing data stored on digital copiers.

In August 2013, Affinity Health Plan, Inc. settled potential violations of the HIPAA Privacy and Security Rules for $1,215,780 with the U.S. Department of Health and Human Services (HHS). It estimated over 340,000 individuals may have been affected by photocopiers returned to the leasing agents.