Mid-Atlantic Health Law TOPICS
Is Your Copier a HIPAA Time Bomb?
Three decades into the digital revolution, most businesses recognize the potential risks connected with decommissioning PC hard drives. As each new generation of PC is introduced, the hard drives from the retired machines must be either removed and stored, effectively purged of existing data or destroyed. But PCs are not the only repositories of confidential digital information. One often overlooked source of data is the ordinary office copier.
Most copiers built in the last decade contain hard drives that enable them to scan, fax and store documents. Copier hard drives also retain the images of thousands of the documents scanned and copied. Most people, however, simply do not think of copiers as having long-term memories.
The problem of copier hard drives is also complicated by the fact that, unlike PCs, most copiers are leased, not owned. When the lease terminates or the copier is replaced, the old copier goes out the door-and so does confidential information, unless steps have been taken to remove or permanently to erase the data.
A. Health Care Regulations
The concern over copier hard drives is especially significant for health care providers. HIPAA and state medical records and consumer protection laws protect the privacy of patient information. Health care providers may face significant liability if protected health information is disclosed, even inadvertently.
Because copiers are often re-leased or sold with the previous user's data still on the hard drive, the potential for disclosure of protected information is significant. To avoid liability, health care providers should implement programs to deal with decommissioning copiers when they reach the end of their lease or useful life.
B. Practical Advice
Providers should begin by making sure that their IT department, officer or consultant is involved in selecting, installing and decommissioning copiers. It is important to understand what type of data storage device the copier uses, and whether it has any internal safeguards to protect against disclosure of information. Many manufacturers offer security measures such as encryption, disk overwrite programs and removable hard drives, to protect data while the copier is in service, and providers should investigate available options before leasing or buying.
When it comes time to retire the copier, a competent IT professional should ensure that the hard drive is secured by either removing it (if the lease allows this), or effectively purging data stored on the hard drive so that it cannot be forensically recovered by subsequent users.
Providers are well advised to enlist competent IT assistance, and not to try wiping the hard drive with an off-the-shelf product. Most leases require copiers to be returned in functioning condition, and erasure programs usually delete or damage the hard drive's operating system. An IT professional will also be needed to reload or restore the software.
The universe of equipment that can store data in ever increasing quantities grows every year. In addition to PCs and copiers, smartphones and other PDAs, voice mail systems and fax machines also have the capacity to store information. Before any data storage device is disposed of, or returned, health care providers should be sure they have effectively removed all confidential information.