Remember that CBS Evening News report back in 2010 that got everyone panicked about patient data that might be stored on the hard drives of copy machines and other multipurpose machines like combination printer/fax/copy machines?
Well, it turns out there is good reason that any health-related practice that uses such a machine (one that has a hard drive) should panic; in fact there are 1,215,780 such reasons. That is the amount Affinity Health Plan was fined by OCR this month for the potential breach of PHI that was reported in this incident.
I know, this could never happen to you. But are you sure of that? Does your organization own or lease a copy machine? Do you have one or multiple printers that are also copy and fax machines as well as a scanner? What is your organization’s policy for the hard drives in those machines? What about the hard drive in that computer you are using to read this? What is your policy for removing any PHI that might be on it?
If you do not know the answers to these questions, you may not have been properly trained in your organization’s HIPAA policies and procedures. Or you may not even have such policies and procedures. Or the practice you work for did all this before you were hired and you have never been informed. These excuses do not fly when it comes to OCR enforcement.
The Federal Trade Commission (FTC) has guidance on handling copier data. NIST, the National Institute of Standards and Technology, has recommendations on how to sanitize electronic media. And Medscape, among others, offers lots of training on HIPAA security. (You might need to register for Medscape before you can access their materials.)
When was your organization’s last HIPAA training? What did you learn? Please share how you address these issues.