To comply with HIPAA, you must ensure PHI confidentiality, integrity, and availability. This means that the data is only available and alterable by authorized persons or processes.
Every modern office has a copier, and if it's a doctor's office, it must be HIPAA compliant. While multifunction copiers can be HIPAA compliant, none of them are compliant out of the box.
There are a few unscrupulous dealers that will say that their copiers are HIPAA compliant out of the box, hoping to capitalize on doctors and hospitals that want to get compliant as fast as possible by making a simple purchase.
HIPAA is not defined by technology, but by the policies and procedures that secures a patient's protected health information (PHI). To comply with HIPAA, you must ensure PHI confidentiality, integrity, and availability. This means that the data is only available and alterable by authorized persons or processes.
Here are a few tips to ensure HIPAA PHI compliance.
- Ensure copier hard drive security. If your copier hard drive is not properly secured, you could be leaving yourself open to a $1 million dollar penalty, like Affinity Health Plan had to pay after a CBS expose. This is something that needs to be taken seriously. For more detail on how to secure your copier's hard drive, click here to read "Securing Digital Copiers to Protect Patient Privacy."
- Include copiers in your HIPAA compliance strategy. Any and all equipment that handles PHI, from copiers to computers, needs to be included in your HIPAA processes. Prepare a list of all digital devices that access PHI prior to devising your confidentiality practices.
- Restrict access. At a minimum, only authorized staff should have permissions to devices that access PHI. When possible, secure as many of these devices into a single locked room that only authorized staff can access.
- Add authentication prompts to all devices that can access PHI. Add an extra layer of security by ensuring only authorized staff can use devices that can access PHI. Not only does this prevent non-authorized staff from accessing PHI, it also allows for access requests to be monitored and audited to ensure that authorized staff only views the PHI they need for patient care. Examples of authentication prompts include passwords, swipe cards, and biometrics.
- The buck stops here. Ensure that all methods of copying or removing information from a device are disabled. This includes disabling CD drives and USB ports. Also beware of the possibility of authorized staff emailing sensitive information to non-authorized individuals.
- Erase data onsite. When it's time to upgrade your equipment, digitally shred your equipments' hard drives onsite. If you need help with this process, contact your service provider.
- Leave no document behind. When printing, scanning, faxing, and/or copying PHI, all staff should remain at the device until finished – don't leave documents unattended on the devices.
- Encrypt data. Data encryption can be an intimidating thing for the non-tech savvy, but it is absolutely vital that you enable data encryption on any equipment that has a disk drive. If you are confused about what this means and if you have done this, consult with your IT department or service provider.
- The walls have ears. This isn't about your tech, but your staff. In the heat of the moment, staff might be tempted to talk about a patient in unsecured areas. This can leave you open to a HIPAA violation. Always be aware of where you are and avoid having conversations in public spaces.
If you execute these simple steps, you will be on your way to becoming HIPAA compliant. But if you think you lack the resources to meet all these standards, outsourcing the management of your copiers and technology might be for you. The right partner can also minimize your printing and copying costs as well as keep your equipment secure.