HIPAA Regulatory Alert

Looking at HIPAA security risks? Check your copier

Hard drives retain protected information

Time to upgrade some of your copiers? Are you planning to sell the old machines to recoup some money to use for new ones? Think twice before placing your "for sale" sign on the copier because you might be selling more than just the machine.

News reports from two different investigative news teams in different cities in the past year showed how easy it was to retrieve protected health information (PHI) from the hard drives in copy machines.

"A lot of copiers, and even fax machines, contain hard drives that store the information you copy or fax," points out Jan Gibson, JD, attorney with Baudino Law Group in Des Moines, IA. "One of the copiers in the news report came from a health insurance group and contained more than 300 medical documents for identifiable patients," she says.

Manufacturers are more aware of the need for privacy and security and have developed software that electronically shreds documents on a copier's hard drive, and there are machines that encrypt information, says Gibson. When a hospital is purchasing new copiers or fax machines that contain hard drives, the purchasing department should make sure they come with encryption and the ability to easily erase the hard drive, she recommends.

What about old machines? "Check with the vendor," suggests Gibson. "There may be a way to delete the data, or you may have to remove and destroy the hard drive," she says. Whichever route you choose, she adds, "don't just put the item up for sale. You might be selling a great deal of PHI without even knowing it."

[For more information about HIPAA privacy and security risks related to technology, contact:

Jan Gibson, JD, Attorney, Baudino Law Group, 2600 Grand Avenue, Suite 300, Des Moines, Iowa 50312. Phone: (515) 282.1010. Fax: (515) 282.1066. E-mail: Gibson@baudino.com.]