HealthBlawg

David Harlow's Health Care Law Blog

    • Twitter
    • Facebook
    • LinkedIn
    • RSS
    • Email
  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

Scanners and HIPAA Compliance

August 21, 2013

Sponsored by Canon U.S.A., Inc.  “Canon’s extensive scanner product line enables businesses worldwide to capture, store and distribute information.” The ideas below are my own.

A recent HHS OCR HIPAA settlement with a New York area health plan seemed to come out of left field: A CBS news investigative reporting team bought a copier formerly leased by the health plan and found protected health information (PHI) of about 350,000 individuals on the copier’s hard drive. This led the health plan to self-disclose to the OIG, and to agree to a fine north of $1 million and a correction plan.

Clearly, HIPAA and related state privacy rules require that a health care entity wipe hard drives of all PHI, or destroy them – the rules require the use of a variety of administrative, technical and physical controls to keep personal health data private and secure. The health plan in this case fell down on the job; it hadn’t even included the copier hard drives in its required self-analysis of risks and vulnerabilities.

Another takeaway from this case that informs the use of other sorts of office technology – including document scanners – is that health care providers (covered entities in HIPAA-speak) and their business associates must have policies and procedures in place to maintain the privacy and security of the physical documents containing PHI that are copied or scanned, the integrity of the information once it is copied or scanned, and the integrity of the equipment itself – both to ensure that data isn’t left in the machine, and to ensure that the scans aren’t corrupted or made illegible as they are created.

Canon’s top-of-the-line production scanners do not include hard drives or flash drives, but some of their network scanners do have flash memory which is overwritten with each successive scan. The secret, of course, is that the last scan on such a machine needs to be overwritten before such a machine can be decommissioned by a covered entity or business associate. Determining the configuration of a scanner and planning for the purging, overwriting or destruction of PHI on any scanner memory needs to be part of any risk analysis.

It is easy to focus on the electronic data issues raised by tools such as scanners and copiers, but the truth is that, as noted above, integrating their use into the workflow of a covered entity or business associate requires thoughtful attention to what happens around it.

For example, if the material scanned is PHI (or personal information otherwise protected by other federal or state law), then at a minimum:

  • Paper records that are scanned must be stored in a secure manner before and after scanning
  • Scanning accuracy checks must be performed before disposing of original paper records
  • File naming conventions and other data workflow rules must be observed religiously so that the scanned documents end up in the right place and are readily retrievable when needed
  • Paper records must be disposed of in a HIPAA-compliant manner (remember: the HIPAA Omnibus Rule makes clear that shredding contractors are business associates under the law, which means that a covered entity contracting with a shredding service needs to be confident that the service knows its way around HIPAA compliance, and the shredding service needs to understand that it now has primary liability for any breach on its watch under the new rule)
  • The scanned data must be protected using appropriate administrative, technical and physical tools designed to maintain its privacy and security

It’s a brave new world out there, but the technical and policy tools needed to navigate through it are available; regulated entities just need to remember to use them appropriately.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Filed Under: EHR, Health care policy, Health Law, HHS, HIPAA, HIT, Privacy, Security

you might also like:

  1. HIPAA Privacy and Security Compliance: Should You Care?

  2. HITECH Act security breach rules now effective; federales give a six-month pass. Now's the time to kick compliance efforts into high gear

  3. OCR Releases HIPAA Privacy and Security Audit Protocol

« A teenager takes control: Hadley George
Dexter Shurney MD promotes a 360-degree approach to lifestyle change to manage chronic disease »

Follow me on Twitter

David Harlow 💉😷 Follow 43,243 17,535

Mastodon @healthblawg@c.im #HealthCare #MedDevice #Compliance #Privacy @MyOmnipod #HIPAA #digitalhealth #HarlowOnHC #pinksocks Tweets are tweets No more no less

healthblawg
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
2h 1641080431243042816

The latest Harlow On Health Care Daily #HarlowOnHC #digitalhealth #healthcare #innovation #privacy #hcldr Thx: @joyclee @ClimaxBetty @_timos_ #digitalhealth #healthtech

Image for twitter card

What satisfied EHR users do differently

healthcareitnews.com A new Arch Collaborative user's guide dives into what 3,000 highly satisfied electronic health reco...

paper.li

Reply on Twitter 1641080431243042816 Retweet on Twitter 1641080431243042816 0 Like on Twitter 1641080431243042816 0 Twitter 1641080431243042816
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
6h 1641015055335432193

ICYMI> Paul Schrimpf, at Prophet Consulting, Driving Health Care Transformation — Harlow on Healthcare https://healthblawg.com/2022/12/paul-schrimpf-prophet-consulting.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #hitsm

Image for the Tweet beginning: ICYMI>  Paul Schrimpf, at Twitter feed image.
Reply on Twitter 1641015055335432193 Retweet on Twitter 1641015055335432193 1 Like on Twitter 1641015055335432193 0 Twitter 1641015055335432193
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
13h 1640909216356487173

ICYMI> Frank McGillin, CEO, The Clinic by Cleveland Clinic — Harlow on Healthcare #digitalhealth #hcldr #hitsm

Image for twitter card

Frank McGillin, CEO, The Clinic by Cleveland Clinic

Harlow on Healthcare: Conversations with Healthcare Innovation Leaders

healthblawg.com

Reply on Twitter 1640909216356487173 Retweet on Twitter 1640909216356487173 0 Like on Twitter 1640909216356487173 0 Twitter 1640909216356487173
Load More
Follow me on Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

Connect with David

  • Twitter
  • Facebook
  • LinkedIn
  • RSS
  • Email
  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2023
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]