Every modern office has a copier, and if it’s a doctor’s office, it must comply with HIPAA regulations. While multifunction copiers can be HIPAA compliant, none of them are from the factory.
A few unscrupulous vendors will claim that their copiers are HIPAA compliant right out of the box, aiming to take advantage of doctors and hospitals that want to become compliant as soon as possible by making a straightforward purchase.
HIPAA is defined by the policies and procedures that secure a patient’s protected health information, not by technology (PHI). You must assure PHI confidentiality, integrity, and availability to comply with HIPAA. This means that the data is only accessible and changeable by authorised individuals or processes.
Here are some pointers to follow to ensure HIPAA PHI compliance.
1) Ensure the hard drive security of the copier. If your copier hard drive is not adequately secured, you could face a $1 million dollar penalty, like Affinity Health Plan did after a CBS exposure. This is a major matter that must be addressed.
2) Make copiers a part of your HIPAA compliance strategy. From copiers to laptops, all equipment that handles PHI must be included in your HIPAA protocols. Before developing your confidentiality policies, make a list of all digital devices that have access to PHI.
3) Limit access. Only authorised personnel should have access to devices that access PHI. When possible, consolidate as many of these devices as possible into a single locked room that only authorised personnel can access.
4) Implement authentication prompts on all devices that have access to PHI. Increase security by ensuring that only authorised personnel can use devices that can access PHI. This not only prevents unauthorised personnel from viewing PHI, but it also allows access requests to be monitored and audited to verify that authorised personnel only view the PHI required for patient care. Passwords, swipe cards, and biometrics are all examples of authentication prompts.
5) The decision is made here. Make sure that all means of copying or removing data from a device are turned off. Disabling CD drives and USB interfaces is included. Be wary of authorised personnel emailing sensitive information to non-approved individuals.
6) Delete data on-site. When it’s time to upgrade your equipment, destroy your hard drives digitally on-site. Contact your service provider if you require assistance with this process.
7) Do not leave any documents behind. When printing, scanning, faxing, or copying PHI, all workers should remain at the equipment until the job is completed; do not leave papers on the devices unattended.
8) Encrypt your data. Data encryption can be daunting to non-technologists, but it is critical that you enable data encryption on any equipment with a disc drive. If you are unsure what this entails or if you have already done so, contact your IT department or service provider.
9) The walls can hear. This isn’t about your technology, but about your team. Staff may be tempted to discuss a patient in insecure places in the heat of the moment. This may expose you to a HIPAA violation. Always be mindful of your surroundings and avoid holding talks in public areas.
If you follow these basic procedures, you will be well on your way to HIPAA compliance. However, if you believe you lack the resources to satisfy all of these criteria, outsourcing the administration of your copiers and technology may be a good option for you. The appropriate partner can also help you save money on printing and copying while also keeping your equipment secure.