Ensuring that your office printer is HIPAA compliant isn’t only important for the security of your patients; it’s also the law. The Department of Health and Human Services requires all print technology to be secured and maintained according to the standards outlined within the Health Insurance Portability and Accessibility Act, otherwise known as HIPAA. Print technology is defined as printers, copiers, multifunction printers, fax machines, and all other devices with similar functions.
Cyberattacks are controlling the internet, but office printing can also be subject to vulnerability. The HIPAA Secure Rule requires the “[implementation of] physical safeguards for all workstations that access ePHI to restrict access to authorized users.” Workstations are defined as computing devices (such as laptops, portable electronic devices, desktop computers, and devices that perform similar functions) and electronic media stored in its immediate environment.
You can learn more about HIPAA here.
A print fleet can pose a series of serious threats to PHI (Protected Health Information) if standards are not followed correctly. For instance, the Affinity Health Plan incident in 2010 resulted in the breach of 33,000 records. The breach happened after Affinity failed to destroy confidential information from rented copiers before returning them back to their dealer. This incident cost Affinity $1.2 million in fines from the Department of Health and Human Services.
As you can see, practicing HIPAA compliant printing is nothing to joke about. Failing to adhere to the security laws can land a medical practice in serious trouble. However, complying with HIPAA regulations can be hard in an ever changing tech environment.
Lucky for you, we have some advice for areas and practices to consider when making your medical office printer and similar technology HIPAA compliant*:
Secure Printer Access and Printing Workflows
By law, only certain authorized staff should have the ability to access documents that contain PHI. In order to do so, printers and other devices should be in a location where only authorized people can access PHI. After the equipment is used for printing, copying, scanning, or faxing, the documents should never be left unattended on the devices. If the machine can’t be kept in a private location, such as a printer in a receptionist cubicle, the machine should be locked with a password.
Another potential solution for maintaining HIPAA compliance is to keep your paper trays locked. If you leave documents in the open with the paper trays unlocked, it increases the chance of documents inside being stolen, lost, or tampered with. With the digital evolution of the healthcare industry, devices like printers and multifunction printers are developing more of a presence in offices and clinics. While it’s great to have conveniently placed printers in patient rooms and hallways, this increases the chance of PHI being accessed by unauthorized individuals, like patients and bystanders. Locking the trays can eliminate this issue entirely. Staff should also make sure to discuss patient details only in secured areas to avoid a potential HIPAA violation should bystanders overhear. Be aware of where you are and avoid sensitive conversations in public areas.
Pull printing is another tactic employees should be trained. Pull printing ensures that staff print to one consolidated virtual queue being released to them after entering an access card or login credentials. This practice ensures that the documents you are printing are only accessible to authorizes staff members.
Clean the Hard Drive
Printers and devices with similar capabilities usually have a hard drive that stores images of documents after they’ve been printed. If you’re planning to lease your device, ask your technology dealer about their policy for hard drive security. Typically, providers who work with healthcare organizations have a select line of printers, copiers, and other devices that meet HIPAA security standards and a policy on wiping hard drives. Do not return your printer or multifunction device to your dealer without first erasing or destroying the data contained on the hard drive.
Add Authentication Measures
All work stations should be protected by a password or another form of authentication to prevent unauthorized access. Authorized users should have a unique keycard, PIN, or password that they must use in order to access and operate the equipment. An automatic log-off feature is an additional safety feature to consider. Make sure that there are monitoring and audit capabilities in place to make sure that only the right authorized individuals are able to access the devices. It is also imperative to train staff on HIPPA compliance regulations. Training sessions, policy notices, and memos are all good tips to ensure your staff is mindful of their printing habits and in compliance.
Encrypt Software and Data
PHI data stored on MFPs, copiers, scanners, fax machines needs to be encrypted using Secure Socket Layer (SSL) encryption in order to maintain a HIPAA compliant environment. The network used to transmit data also must be secured through data encryption. As an added security measure, periodically overwrite the hard drive to reduce the chances of unauthorized access should the hard drive fall into the wrong person’s hands.
Track and Manage Documents
Any and all equipment that handles PHI, from copiers to computers, should be included in HIPAA maintenance measures. Create a list of devices that access PHI before putting your confidentiality practices into effect. Documents should be tracked from sender to recipient when copied, faxed or printed and never left unattended.
To help you with the process of creating a HIPAA compliant environment, we’ve created this free downloadable checklist. This list is not all extensive nor does it guarantee HIPAA compliance. It serves to provide factors to consider as you implement HIPAA compliant standards within your medical practice.
Failing to protect PHI can land your medical office in serious trouble with fines of up to millions of dollars or open your practice to legal liability. We can help you create a HIPAA compliant print fleet and continue to manage it going forward. Are you ready to help your medical practice advance? Reach out to us today by giving us a call at 850-222-2308.
*This article is for informational purposes only. It does not serve to provide explicit or implicit guarantees that your office printer or any similar technology is meeting HIPAA compliant standards. With the wide range of varying technology and operations from practice to practice, it is not possible to create or present an all-encompassing statement guaranteeing your compliance.