Photocopiers: Another PHI Hot Mess
Before you sell, donate, or lease your old office photocopiers or repurpose their parts, think about the patient health information (PHI) that is stored in their memory. A recent $1.2 million settlement by Affinity with the U.S. Department of Health & Human Services’ Office of Civil Rights (HHS OCR) is a prime example of why photocopiers are a big security breach risk.
Affinity’s PHI breach came to light after CBS News broadcasted the security risks posed by photocopier machines. One of the Affinity machines featured in the story had been purchased from a leasing company by CBS News and still had PHI in its memory. Affinity notified the HHS OCR after the broadcast, and they eventually determined the health provider sold seven old machines filled with 344,579 individuals’ records. Records found on the machine by CBS included prescription drug data, blood test results, and patient diagnoses.
Affinity failed to incorporate the electronic PHI stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents.
Affinity was ordered to pay its fine and retrieve all hard drives used on machines leased by the plan.
Let this be a lesson: Make sure PHI is wiped from any hardware in your organization before taking it out of service. Also, make sure you have HIPAA safeguards in place and use careful risk analysis of threats and vulnerabilities in software and devices that hold patient data, which includes photocopiers.
You can view the press release on the HHS website.