[ Tuesday, March 02, 2004 ]
How MFDs can get you in trouble:
If you haven't gotten a new copier lately, you probably don't know how the standard Xerox machine has changed. New machines (called "multi-function devices," or MFDs) don't just make photographic copies by illuminating the image and transferring it by heat-bound toner onto another piece of paper; instead, they scan the image and store it as a digital image, then reprint the digital image on another piece of paper. Once the image has been scanned, it may be held in magnetic storage in the copier on a hard drive not unlike the one on your computer. Many MFDs will allow you to e-mail an image you copied; many are also linked into computer networks and serve also as printers. Now, when you make a copy of a medical chart on the copier, you might just be making an electronic record of that chart that you didn't even know existed. It just might turn out that the MFD is the WMD of HIPAA.
According to Vince Janelli of Sharp Electronics, there are a number of things you can do to prevent the inadvertent disclosure of PHI from copying or scanning information on MFDs. Use PINs to make sure you know who is printing off of the MFD; secure the MFD's network interface; make sure you have physical security measures in place around your MFDs (and make sure people take their copies with them after they've made them; don't let maintenance vendors have access to the MFD's hard drive unless it is wiped clean or destroyed; if the MFD sends or receives data over a network, make sure it is secure (and make sure anyone who prints to the MFD remotely has discipline in recovering printed copies; make sure your vendors have sufficient privacy and security policies in place, and put them under BAAs if necessary; and make sure the MFD has software on it that "shreds" the digital images after printing and doesn't maintain them on the hard drive.
Some MFDs allow you to put some other operating system on them to run them. Make sure you understand how they work and what they can do. If you lease your MFDs, make sure there is some way to wipe out the images on the hard drive before giving the machine back. And if you haven't heard this already, "delete" doesn't mean it's gone for good. If the image of PHI has been encoded on the hard drive of the MFD, it must be electronically "shredded" and the drive must be "wiped clean" to make sure the image is not only "deleted" but actually destroyed.
Hat tip to Hospital Compliance Wire's e-mail service for this tip.
Jeff [5:38 PM]
Blogger: HIPAA Blog - Edit your Template