I’ve seen a few unscrupulous dealerships say that they sell compliant copiers. That’s misleading, as it gives the impression that your compliance challenges can be met with a simple purchase. I do not agree because their are many policies and procedures your office must develop and follow.
Security Rules focus on the confidentiality, integrity, and availability of PHI. Confidentiality means that data or information is not made available or disclosed to unauthorized persons or processes. Integrity means that data or information has not been altered or destroyed in an unauthorized manner. Availability means that data or information is accessible and usable upon demand only by an authorized person.
Of course, your electronic health records and office equipment must be included in your HIPAA strategy. Here are a few tips for ensuring that you don’t accidentally expose your patients’ protected health information (PHI).
The great thing is you can apply specific tactics to ensure your copiers are HIPAA compliant. Encrypting connections to your copiers and clearing your copying machine’s memory monthly helps safeguard any sensitive information.
So, follow these 9 tips to ensure your copiers are HIPAA compliant.
1- Copier Hard drive security
For at least one company, the answer to that question was yes. Because, Affinity Health Plan did not erase information on a leased copier’s drive. CBS Evening News bought the copier as part of a story about copier hard drive. security and discovered confidential patient information on the drive. Affinity ultimately paid $1,215,780 for the breach.
So, most digital copiers have internal hard drives and network connections that can be exploited by hackers. They can gain access to protected health information. Failure to implement safeguards to protect the PHI in your care from unauthorized disclosure. Because, it can lead to substantial criminal and civil penalties for HIPAA non-compliance. So, penalties for non-compliance range from $100 to $50,000 per violation. Or up to a maximum of $1.5 million per year for identical violations in a calendar year.
https://www.xerox.com/downloads/usa/en/buck/sellsheet/hrc_ss_hipaa_security.pdf
2- Include them in your HIPAA-compliant statagey
Every healthcare provider regardless of size needs to be compliant. The first step is to make sure you don’t ignore your copiers in compliance planning. So, that goes for any networked device with a hard drive that touches patient information. It is important to create a check list that includes best practices regarding you office equipment.
3- Restrict access
Physically restricting access to copiers to a dedicated room is one way to ensure only authenticated users have access. At a minimum, restrict access so only your staff has access the devices. And by law only certain authorized staff should have the ability to access documents that contain PHI. In order to do so, printers should be in a location where only authorized people can access PHI. So, after the copier is used, documents should never be left or unattended with the device. And, if the copier can not be kept in a private location like the receptionist cubicle it should be password protected.
4- Authentication
Require user credentials at the device password swipe card or even bio metrics. Set up audit trails to ensure only authorized users are accessing devices. It is also a good idea to Set up an automatic log off function as an additional safety step because users do forget to log out. On Xerox equipment you can set up accounting which is a free function of the copier that restricts what you and print and when you can print it.
5- Erase Onsite
At the end of your copier’s lease or if you resell your copier. Have your service partner erase and or digital shred the hard drive or do it yourself. Every time you make a copy or scan a document a image is left on the hard drive. So, I often recommend taking Hard Drive out of machine before you send it back.
6- Leave No Document Behind
When printing, scanning, faxing, and or copying PHI, staff should remain at the device until finished. Do not leave documents unattended on the devices. Many businesses post signage to that effect, as reminders.
7- Data Encryption
Enable data encryption on equipment that has a disk drive some details will vary by manufacturer. Xerox products have a 128-bit encryption algorithm. So, PHI data stored on copiers machines needs to be encrypted using Secure Socket Layer (SSL). As an added security measure you should periodically overwrite the hard drive. Because this reduces the chances of unauthorized access should the hard drive fall into the wrong person’s hands.
8- Chatter creates disaster
It is important that nurses and doctor’s office staff do not discuss patients information. Be aware of where you discuss PHI, don’t do it in front of other patients at a minimum. So, be careful of hallway and waiting room conversations.
Conclusion
Complying with HIPAA is hard enough. But, staying within bounds of HIPAA when using your office copier is easy. So remember, all you need is a simple checklist to ensure that it is followed.
Outsourcing your copier to a MPS partner is one way to help ensure that your office equipment is compliant. A good partner will work with you to ensure you save money on your printing and copying costs. And can help ensure your equipment is secure as part of your compliance initiatives. Click on the image below to discover the value of managed print services.
Comments are closed