Health Information Compliance Alert
Is Your Multifunction Printer Harboring ePHI?
PDF
Question: We just bought a multifunction printer that also sends faxes, scans and makes copies. However, our information technology (IT) team thinks we should disable the machine's ability to store information to avoid any PHI leaks. Is this necessary under the security rule? Answer: "It depends," says Robert Markette, an attorney with Gilliland & Caudill in Indianapolis, IN. In Section 160.103, the Department of Health & Human Services knocked basic paper-based fax machines out of the security rule running "because the information being exchanged did not exist in electronic form before the transmission," Markette notes. But that exclusion doesn't apply to fax machines that have a hard drive or are part of your network, he cautions. Your multifunction printer's large memory doesn't push you into security rule territory, Markette says. If your machine's memory can hold on to a week's worth of PHI, however, you should take steps to keep that information out of unauthorized hands. Try this: Limit -- don't disable -- the amount of information your machine can store, he suggests. "Multifunction printers with permanent storage capabilities, such as a hard drive, do fall under the security rule," and the information stored on them must be protected just like any other electronic protected health information (ePHI), Markette says. Good idea: Set your multifunction printer to erase stored information at the end of each day or week, Markette suggests. And you should program the machine not to print out reports containing stored information at the press of a button, he says. The Bottom Line: "Do a risk assessment of the machine before you decide which rule should apply," recommends Lee Kelly, senior security consultant at Fortrex Technologies in Frederick, MD. Strategy: Kick off your risk assessment with these questions: How much storage does my multifunction printer have? Is it also a network storage device? How long is information stored on the machine? How is stored information accessed? Where is the printer stored? Is it accessible by the public at large? And remember, even if the security rule doesn't apply, the privacy rule still mandates that you protect all machines in your office from inappropriate use and access, Markette notes.
Health Information Compliance Alert
- Privacy Compliance:
Don't Let Your Notice Of Privacy Practices Go By The Wayside
3 expert tips to help you freshen up your privacy notice. Your notice of privacy [...] - You Be The Privacy Officer:
Should You Track Your Employees' Contact With Patients' PHI?
Question: A patient requested that we account for all disclosures of her protected health information [...] - Reader Questions:
Auto-Reminders Won't Erase Your Compliance Efforts
Question: We plan to hire a service to send automatic telephone reminders to our patients [...] - Reader Questions:
HIPAA Doesn't Halt For Holidays
Question: Our office wants to create a display at the local shopping center to remember [...] - You Be The Privacy Officer:
Are Your Patients Shopping Around?
Question: One of our physicians is concerned that her patient may be "doctor shopping" for [...] - Security Strategies:
7 Steps To Save Your Security Incident Ship
These suggestions will keep your security rule compliance efforts moving. Knowing how to respond to [...] - Privacy Compliance:
Know When To Curb Your Patients' PHI Restriction Requests
Granting restriction requests could be disastrous for both you and your patients. Do you know [...] - You Be The Security Officer:
Is Your Multifunction Printer Harboring ePHI?
Question: We just bought a multifunction printer that also sends faxes, scans and makes copies. [...] - Compliance Tips:
Can Your Staffers Call On You For Help?
Give your employees the gift of communication. Even if you've prepared your staff to handle [...] - Industry News:
Issues Plague Patient"Doctor Interaction On Social Networking Web Sites
Friending patients on Facebook may lead to privacy violation issues, say experts. Should patients and [...]