Are Your Printers and Copiers a Source of HIPAA Liability?

Digital copiers and printers can store information, including protected health information (PHI), on their hard drives. Neglecting to wipe equipment hard drives clean at lease end or at time of sale or recycling can expose a health care provider to significant liability under HIPAA.

Recently, the U.S. Department of Health and Human Services (HHS) announced its first HIPAA breach settlement resulting from a digital photocopier. HHS entered into a $1,215,780 settlement with Affinity Health Plan (“Affinity”) a not-for-profit managed care plan, for a potential HIPAA violation. HHS determined that Affinity failed to assess potential security risks and to implement an acceptable digital use policy related to the disposal of PHI maintained on photocopier hard drives.

Affinity returned photocopiers at the end of a lease without wiping the hard drives clean. As part of an investigative story, CBS purchased a copier previously leased by Affinity and uncovered PHI on that machine’s hard drive. A CBS Evening News representative contacted Affinity to inform them that PHI had been disclosed in violation of HIPAA. Affinity filed a breach report with HHS disclosing that it had impermissibly disclosed the PHI of up to 344,579 individuals after returning the leased photocopiers without wiping the hard drives clean.

I recently learned from an IT professional that leased equipment often ends up at an auction and that there are individuals who purchase this equipment in bulk just for the potential of retrieving data from the hard drives. To avoid a HIPAA breach a health care provider must ensure that all personal information is wiped from a photocopier or printer hard drive before it is recycled, thrown away, or returned to a leasing company. Most leasing companies will wipe the hard drive clean or permit you to keep the hard drive for an additional fee. I recommend that you attempt to negotiate free wiping of the hard drives or the ability to keep the hard drive for no fee at the end of the lease. You should also keep a list of the hard drive serial numbers for purposes of confirming destruction and that the hard drive has not been replaced during the term of the lease.

For further information or to discuss your printer and/or copier compliance contact Orly.

This entry was posted in Articles.
  • About the Author

    Portrait

    Orly R. Rumberg

    Orly Rumberg's health care law practice provides essential support to health care providers including physicians, hospitals, pharmacies, health systems, and long-term care clients with respect to corporate and regulatory aspects of health care delivery.

  • Contact Us

    Wood + Lamping LLP

    600 Vine Street Suite 2500
    Cincinnati, OH 45202
    513-852-6000 main
    513-852-6087 fax