According to the Department of Health and Human Services your office copiers, printers and fax machines are workstations. As such, they are required to be secured and maintained according to the standards of the Health Insurance Portability and Accessibility Act (HIPAA).
Unfortunately, these devices are often a wide open door overlooked in many company’s security plans, or not properly secured to meet HIPAA standards. One of the most well known data breach cases involved Affinity Health Plan. In 2010, Affinity failed to properly erase hard drives in their leased copiers before returning them. As a result, over 330,000 patient records were exposed, costing Affinity $1.2 million in fines with the DHHS. Many company’s don’t realize that their devices contain hard drives and store copies of images.
So how do you make your devices HIPAA compliant? It’s about understanding the risks and mitigating them. While this is by no means a comprehensive list, here are some important areas to consider if you’re business is required to be HIPAA compliant.
- Secure Physical Access – Location of devices is a critical consideration. Devices need to be in areas only accessible to authorized staff members qualified to handle protected health information. When devices are used, documents can not be left unattended.
- Remove Hard Drives – Today, most MFPs, copiers and other devices contain a hard drive for storing data. At lease end, this information must be securely erased, or the drives removed. Do not ever return the device with any personal healthcare information (PHI) still on the drive.
- User Authentication and Audits – Workstations should always be password protected to ensure the safety of the data contained on them from unauthorized access. All users should have unique identifiers to ensure audit capabilities should the need arise. As with workstations, there should be an auto log-off as an added precaution.
- Data Encryption and Removal – Any PHI data stored on MFPs, copiers, fax machines, scanners or printer hard drives should be encrypted using SSL encryption. The network data is transmitted on also needs to be encrypted. If possible, periodically overwrite hard drive data to minimize potential unauthorized access. Along with the hard drive, make sure to wipe copier memory clean as well.
Data protection is critical in order to maintain HIPAA compliance. If you’re unsure where to start, give a UBS representative a call to help you implement a comprehensive compliance strategy.