Copiers, especially newer ones, often have memories. Nancy Lorey, C.P.C., applications specialist with Bloomington’s HealthLINC, advised that copiers are not the mindless devices you might have assumed they were.
That’s why copiers are a lurking HIPAA security risk. They often have an internal memory that can be hacked after disposal, presenting privacy violation concerns.
“Enterprise-level copiers, fax machines and multi-function printers often have hard drives for spooling print jobs” said Lorey. “It is common procedure to keep the hard-drive when disposing of a computer. You can disassemble them and shred the media, or use a large magnet to scramble the data.”
Scott Richards, project manager, Technology Assessment with Purdue Healthcare Advisors, concurred. “Whenever you dispose of a copier, it is important to make sure the internal drive is destroyed. If you rent one, you need to make sure the company properly disposes of it.” Richards prefers drilling three holes in the drive upon disposal.
Encrypted protected health information (PHI) is not subject to HIPAA regulations, Lorey noted. However, most printers do not come with that level of encryption, and those that do are very expensive.
Devices and memory
Smaller devices have memory boards to do spooling, so they’re not a problem. “If you can lose your print job by unplugging the machine, then you have memory-board spooling,” Lorey said. Memory boards are not able to keep data without power.
Newer inexpensive machines may use flash memory, like a thumb/flash drive. They would present the same concerns as very expensive copiers.
Finally, note that portable computers and other portable devices containing PHI must be encrypted, according to current HIPAA regulations for Stage 2 Meaningful Use.