HIPAA Violations in Your Copy Machine?
Bryan Malatesta, CPA
Does your practice use a copy machine? Do you ever make copies of patient information? If so, there is a good chance that your practice could be setting itself up for a violation of the HIPAA laws! Let me explain using the following simple scenario:
Your patient comes in to the office; your staff takes the patient’s ID and insurance cards and places them down on the copier. Your staff presses the copy button and then hands the patient back their cards. Next, they grab the patient’s file, select pages in the file to copy, place those in the copy machine, and hit copy again so the patient has copies of their charts, exams, etc. for their own records. Your staff is thinking nothing of this procedure as they do it each and every day, yet they may have just started the ball rolling for a potential HIPAA violation.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was enacted on August 21, 1996. Sections 261 through 264 of HIPAA required the Secretary of HHS to publicize standards for the electronic exchange, privacy and security of health information. Collectively, these are known as the Administrative Simplification provisions.1 According to PrivacyRights.org, HIPAA was passed to “to set a national standard for electronic transfers of health data.”
HIPAA required the U.S. Department of Health and Human Services (“HHS”) to issue privacy regulations governing individually identifiable health information, if Congress did not enact privacy legislation within three years of the passage of HIPAA.
Since Congress did not enact the legislation, and after numerous drafts, on August 14, 2002, HHS issued what has been termed the Privacy Rule.2 Generically speaking, the Privacy Rule applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form. We will focus on health care providers for this article.
Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under the HIPAA Transactions Rule.3
According to the HHS website: The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).”
“Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
and information that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
Generically speaking, every bill, every insurance card, every ID card, etc. falls within the guidelines of individually identifiable health information!
Copiers and hard drives
According to an April 2010 CBS News report4, every copier made in the past decade or so has an internal hard drive, just like the one in your personal computer. And every time you make a copy, that image gets stored on the hard drive of the copier! And you never even knew it. And if the copier also acts as a fax machine, it captures the same fax image as well!
According to that CBS special, the copy manufacturer Sharp reports that 60% of Americans had no idea that information was being stored on hard drives inside copiers. Therefore, most offices and businesses who routinely make copies of customers, clients or patients information are storing all that private information on a hard drive inside the copier/fax machine without even realizing it.
Question #1: How many copies of “Individually identifiable health information” has your practice made over the past month, year or 5 years?
Question #2: How much of this information was captured by copiers that are no longer in your facility?
HIPAA and Copiers
Unbeknown to most Americans, the routine practice of making copies of billing records, health insurance cards, drivers’ licenses, social security cards, benefit cards, etc. which has all the information that the HIPAA Privacy Rule is trying to protect, compromises and potentially violates federal law through the routine practice of office workers in clinics, hospitals and doctors’ offices.
One way to combat this HIPAA issue is to implement a HIPAA policy and procedure manual and to educate all workers and service providers to your practice on this law and requirements. Please make sure that your copier vendor is aware of these issues and that a policy is in place to scrub all electronic data from any copier that is replaced from your practice. As regulation tightens in the medical industry, your practice does not need a patient filing a HIPAA violation claim with HHS about possible violations, or worse yet… a copy machine leasing vendor turning ‘whistleblower’ on your practice.
You already have enough on your plate, like finding a medical solution to your patient’s health problem.
1 U.S. Dept of Health and Human Services (HHS)
2 67 FR 53182
3 45 C.F.R. §§ 160.102, 160.103; see Social Security Act § 1172(a)(3), 42 U.S.C. § 1320d-1(a)(3). The transaction standards are established by the HIPAA Transactions Rule at 45 C.F.R. Part 162.
4 CBS News Report titled “Copy machines, a security risk?” April 19, 2010 http://www.cbsnews.com/video/watch/?id=6412572n