It was bound to happen.
Laws are being created.
What’s this about?
As we’ve mentioned a few times on this website, if you use a multi-function photocopier (one that will copy, scan, print and receive faxes), chances are very good (90%+ probability) that your device has a computer hard drive built into it.
This hard drive is intended to speed things up.
Well, “older” photocopiers work like this:
- put document(s) to be copied on top
- press Start button
- page gets scanned
- page gets printed.
Older photocopiers do this in a 1-to-1 process, meaning it can only scan page 1 – print page 1, scan page 2 – print page 2, and so on.
Newer, fancier photocopiers speed up this process.
By using a hard drive, they work like this:
- Scan all the documents
- Store them on the internal hard drive until all scanning is complete
- Then begin the printing process.
Additionally, when this device is used as a fax machine, all incoming faxes are stored on the hard drive, then later printed.
Unknown to you, there is a “phantom” file stash waiting to violate you.
This stash will try to sneak out of your office when you have that fancy photocopier replaced/upgraded.
None of the data on that photocopier hard drive is encrypted.
It is filled with PHI.
Letting it leave your office un-encrypted is not only a big HIPAA violation, but a huge risk to your practice.
“But it’s not my fault”
I know, but your patients who’s identity may have been stolen don’t care.
The fact that people don’t know this could happen is why lawmakers feel a new law needs to be put on the books.
This is currently starting at the state level, but don’t be surprised if it wiggles itself into the HIPAA world officially.
“What can I do about this?”
- Have an Associate’s Agreement signed between you and the photocopier vendor with explicit instructions as to how the data on the photocopier hard drive should be handled
- Don’t trust the photocopier vendor and wipe that hard drive yourself.
- NOTE: this may be a violation of your photocopier contract and could create some issues. It is up to you to decide where the greater risk lies: violating your photocopier contract OR having PHI exposed and having to pay for all your patient’s to get credit reports run and deal with the PR nightmare this type of mess would bring with it.
The quick answer here is, get control of your office HIPAA Compliance today.