Copy Machines Present HIPAA Privacy Risk

Posted on Health Care Law News by author

Medical practitioners and their business associates should be aware of the potential HIPAA privacy and security liability posed by their digital copying equipment. An investigative report by CBS News revealed that nearly every printer, copier, scanner and telefax machine built since 2002 contains hard drives that capture images of every document processed. To demonstrate how easy it is to retrieve the data stored on these devices, CBS followed an information security consultant as he purchased four used copiers. Using readily available software, the consultant was able to download images captured on all four machines. One of the copiers contained medical records from an insurance company which included records of a diagnosis of cancer, results of blood tests and prescriptions.

In an effort to guide businesses, the Federal Trade Commission, Bureau of Consumer Protection Business Center, offers a publication, “Copier Data Security: A Guide for Businesses” in which the FTC recommends that when businesses buy a copier they should evaluate options for securing the data on the device. The publication states that the typical approaches are data encryption and overwriting.

Depending on the copier, the overwriting feature may allow a user to overwrite after every job run, or to periodically to clean out the memory on a preset schedule. Users may also be able to set the number of times data is overwritten, as the more times the data is overwritten the more difficult it is for the data to be retrieved. Providers should be aware that overwriting data is different from deleting or reformatting. Deleting data or reformatting the hard drive does not actually alter or remove the data, but rather it only alters how the hard drive finds the data and combines it to make files; however, the data remains and may be recovered through special software programs.

It is important for providers and their business associated to plan ahead about how to dispose of the data that accumulates on their copiers. This may require checking the lease or purchase agreement to verify who will retain the hard drives at the conclusion of the lease, and to plan for the destruction of the data prior to the copier being returned to the leasing company, sold or otherwise disposed of.

Nicholson & Eastin, LLP is available to assist health care providers with any HIPAA security questions they may have.