Can My Copier Make Our Office HIPAA Compliant?
When you work in the medical industry, and are searching for a new business technology solution, there is often one thing at the forefront of your mind: HIPAA.
And since we are a company from the imaging and managed services industries that often services medical offices, we find a question comes up in conversations: “Can my copier make our office HIPAA compliant?”
HIPAA AND YOUR COPIER
HIPAA applies to any health care provider who transmits health information in electronic form. The Department of Health and Human Services requires that all medical practices maintain full HIPAA security standards for copiers and printers. With that being said, can a copier itself make your office HIPAA compliant? The short answer is: no.
Compliance is the procedures and policies your office develops as it relates to patient identifying information. When creating your compliance strategy remember to include all copiers and printers, both networked and non-networked.
Printers and copiers are computers and can present a catastrophic security risk. Any device connected to a network can have the ability to transmit protected data and can be hacked and exploited in various ways.
Let’s look at some ways you can minimize risk and improve your compliance strategy:
Limit the personnel allowed to transmit data from your Multi-Function Devices, and consider restricting access to networked machines by putting them in a dedicated room. By limiting the number of users that can transmit data and access the networked devices you substantially lower your risk of a breach.
Also, make sure to limit the ability to email outside of your organization, so that no sensitive identifying patient information can be sent to non-authorized personnel.
There are many ways you can either digitize a physical process, or add additional layers of user authentication and security to your daily operations to increase your security, and reduce the risk of a HIPAA violation.
Consider replacing your stand-alone fax with a system that allows users to send and receive faxes directly from their desktops. These systems have audit trails for all incoming and outgoing transmissions, as well as the ability to save copies — meaning no more lost faxes.
Add authentication to all MFP’s in your office. Authentication requires each user to log-in either by password, bio-authentication or by RF ID cards, which will allow for auditing of employees copy, print and scan usage.
Use the Private Print setting on your networked devices. This allows print jobs to only be released when you are physically at the copier and keeps documents off the output tray where they can be easily accessed by anyone.
Encrypt Data on all devices that have either standard or optional hard drives. Generally, data written to hard disk drives is not completely erased when the memory is deleted. Data recovery software can recover that deleted data. HDD encryption is vital to keeping your information secure. Check to see if your MFP comes standard with this extra layer of security or if you can add the optional HDD encryption kit based on manufacturer specifications.
USB ports should be disabled on your devices. While USB’s are great when it comes to printing and scanning, they pose a threat by allowing scanned documents to leave your facility. USB ports also can be used as an access point for viruses.
Update and Manage Your Copiers, Printers, and Multi-Function Printers
Update your firmware regularly. MFPs run on an embedded operating system which can make them targets of the same malware threats as any other computer in your office. Firmware should be routinely updated by your technician, but it is a good practice to confirm that your machine is running with the latest version. If your MFP is on the older end, it may no longer be supported by the manufacturer — leaving you vulnerable to a breach.
Lastly, when it is time to return your MFP to the leasing company, require written proof from your provider that the hard drive has been reformatted and all data has been wiped. If you own your machine, remove the hard drive and have it destroyed by a certified destruction company.
A COPIER CANNOT MAKE YOU HIPAA COMPLIANT, BUT IT CAN HELP
If you manage how your multi-function printer is operated, and utilize a high level of security when handling patient identifying information, you are most likely HIPAA compliant already. If you have questions about how to implement any of the tips listed above, reach out to your representative.
There are always new security services and capabilities on the market — just as there are new security threats. Even if you know your medical office is HIPAA compliant, it is a good idea to reach out to your representative, and ask if there is anything else your business could do to ensure HIPAA compliancy.