Hidden hard drives in ordinary office and clinical equipment, if not carefully managed, can create patient privacy violations that may subject providers and their business associates to fines and penalties. Digital copiers, fax machines and multifunction printers, copiers and scanners built since 2002 contain hard drives much like those in a computer. These hard drives automatically store images of all of the documents copied, scanned or faxed by a provider. Additionally, in some cases, the activity of one of these machines linked to an unsecured network may be downloaded easily from the Internet. As a result, stored images on the hard drives of office and clinical equipment can create significant privacy compliance concerns for the healthcare industry. For example, Affinity Health Plan recently notified the media and more than 400,000 employees, providers and members that their personal information may have been breached as a result of information contained on a copier hard drive returned to an equipment lessor. A recent CBS station's investigative reporter also found medical records on an old copier hard drive that a recycler was dismantling in the San Francisco area.
The information contained on the hard drives and other media buried in office and clinical equipment poses security and privacy risks under HIPAA, state medical privacy laws and state computer data security laws. The HIPAA Privacy Rule, as well as other state and federal laws, require providers to protect an individual's personal health and identity information from unauthorized disclosure and access. These laws also require that providers institute safeguards to preclude the disclosure of this information without proper authorization.
The HIPAA Security Rule requires providers to implement policies and procedures to control the receipt and removal of hardware and electronic media that contain electronic protected health information from a facility, and to control the movement of these items within the facility. It also necessitates that policies and procedures be implemented to address the final disposition of electronic protected health information and/or the hardware or electronic media on which it is stored.
Should a breach of unsecured protected health information occur, the HITECH Act regulations, in most cases, require a covered entity to notify the affected individuals and the Secretary of the U.S. Department of Health and Human Services (HHS) following the discovery of a breach. If more than 500 residents of a state are affected, the news media also must be notified. To assist in preparing digital media for final disposition, the HHS Office for Civil Rights (OCR) has issued guidance specifying which technologies and methodologies OCR deems appropriate for rendering protected health information unusable, unreadable or indecipherable. Consequently, care must be taken to assure data privacy when office and clinical equipment are removed from a provider's facility, either for servicing or final disposition. With regard to leased office machines not within the provider's control, staff must be notified and trained not to copy sensitive information on such equipment unless adequate precautions are taken to assure that sensitive information is not retained on the hard drive. Similarly, agreements entered into by providers with service companies and equipment lessors need to assure that such vendors will train their representatives on the provider's privacy obligations and will take precautions to avoid a privacy breach.