Photocopiers: Another PHI Hot Mess

photocopierBefore you sell, donate, or lease your old office photocopiers or repurpose their parts, think about the patient health information (PHI) that is stored in their memory. A recent $1.2 million settlement by Affinity with the U.S. Department of Health & Human Services’ Office of Civil Rights (HHS OCR) is a prime example of why photocopiers are a big security breach risk.

Affinity’s PHI breach came to light after CBS News broadcasted the security risks posed by photocopier machines. One of the Affinity machines featured in the story had been purchased from a leasing company by CBS News and still had PHI in its memory. Affinity notified the HHS OCR after the broadcast, and they eventually determined the health provider sold seven old machines filled with 344,579 individuals’ records. Records found on the machine by CBS included prescription drug data, blood test results, and patient diagnoses.

Affinity failed to incorporate the electronic PHI stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the  Health Insurance Portability and Accountability Act (HIPAA) Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents.

Affinity was ordered to pay its fine and retrieve all hard drives used on machines leased by the plan.

Let this be a lesson: Make sure PHI is wiped from any hardware in your organization before taking it out of service. Also, make sure you have HIPAA safeguards in place and use careful risk analysis of threats and vulnerabilities in software and devices that hold patient data, which includes photocopiers.

You can view the press release on the HHS website.

dec-clearance-sale

Latest posts by admin aapc (see all)

One Response to “Photocopiers: Another PHI Hot Mess”

  1. Steven Cornett says:

    “Make sure PHI is wiped from any hardware in your organization before taking it out of service.”

    I am not a computer/hard drive/magnetic media expert; but here is my two cents on this issue.

    There is no way for a layman to “wipe out” data on a hard drive short of physical destruction.

    I was lightly involved in this sort of thing in the service and the only way to do this was to 1. Overwrite 100% of the media with 1s and 0s (no easy task for multi gig devices nowadays), then 2. Remove the media and place it in a powerful magnetic field for several minutes in order to erase the data (this machine drew so much power that the lights in the building would react) and then overwrite the media with 1s and 0s again. In the HIPAA context, at least one or possibly two employees would have to accompany the device (chain of evidence) in order to insure against any breaches and somehow examine the device to insure that all these steps “wiped out” the data.

    This would obviously cost more than the device is worth, so removal and retention (and destruction?) of the device is the only viable choice. Leased machines would need a clause to allow this. The storage device would have to be removed from the machine before is leaves the premises; and it may be prudent to open the machine when it first arrives in order to record the serial number(s) of storage devices and/or place a discreet UV sensitive mark (invisible in normal light) on the components as a back up identification.

    This still leaves the identification, tracking and resolution of digital storage (think flash drive permanently installed on a circuit board deep inside of the machine) components!!! How will providers protect themselves from this genre’ of HIPAA breach?

Leave a Reply

Your email address will not be published. Required fields are marked *