Okay – We’re not talking about that kind of trouble.
The Health Insurance Portability and Accountability Act (HIPAA) requires that protected personal information be protected. Just about everyone knows that an employee’s health information needs to be in a separate file under lock and key with restricted access. (If you don’t then you and I need to talk.) Most everyone knows that computers that store that information also need to be protected and the data needs to be secured. But did you know your copier can get you in trouble?
Digital hard drives
In just about every office out there paperwork with protected personal information gets copied on a daily basis. We not only copy medical information to be filed, but we also copy various forms of identification such as passports, drivers’ licenses and social security cards. Just to be clear there is nothing wrong with doing this and most of us are pretty careful in what we do with that paperwork.
However, did you know that copiers are much more sophisticated than they have been in the past? The not only reproduce everything you want copied but it also stores all those images on a hard drive. Right about now you may be thinking “OMG what have I copied on there?” (Yep that image of your posterior is stored there or at least someone’s may be.)
Why this is important
According to Stacey Borowicz and Simi Botic, attorneys with Dinsmore & Shohl LLP, this lack of knowledge about a copier hard drive cost one company over $1.2 million in fines. In their article Is Your Photocopier HIPAA Compliant? they related the story of Affinity Health Plan, a not-for-profit managed care plan, that failed to realize that all the information they copied was stored on the copier hard drive. Unfortunately for Affinity the copier they used was a leased machine. And as often happens with leased machines they will be returned and traded out for a newer model.
Unfortunately by doing this return without clearing the hard drive they exposed all the information that was on that drive and the drives of other leased machines as well. They exposed the records of 100,000 plus people. Affinity reported this breach to the Department of Health and Human Services’ Office of Civil Rights (“OCR”), which then proceeded to investigate.
What they found was a failure to follow HIPAA procedures about accessing potential security risks and having appropriate policies and safeguards in place, such as wiping a hard drive clean before you return the copier machine.
What about you?
Obviously this type of violation has much greater impact on healthcare providers, but each company should be aware of this risk. Are you aware of the capacity of your copier for storing information? What other devices today may have this sort of storage capacity? You need to develop a policy to prevent unauthorized retrieval of information on these devices and include a process to clean the hard drive of any device before it leaves your building. You don’t really want to explain to your employees how their information got leaked.