Scanners and HIPAA Compliance

Sponsored by Canon U.S.A., Inc.  “Canon’s extensive scanner product line enables businesses worldwide to capture, store and distribute information.” The ideas below are my own.

A recent HHS OCR HIPAA settlement with a New York area health plan seemed to come out of left field: A CBS news investigative reporting team bought a copier formerly leased by the health plan and found protected health information (PHI) of about 350,000 individuals on the copier’s hard drive. This led the health plan to self-disclose to the OIG, and to agree to a fine north of $1 million and a correction plan.

Clearly, HIPAA and related state privacy rules require that a health care entity wipe hard drives of all PHI, or destroy them – the rules require the use of a variety of administrative, technical and physical controls to keep personal health data private and secure. The health plan in this case fell down on the job; it hadn’t even included the copier hard drives in its required self-analysis of risks and vulnerabilities.

Another takeaway from this case that informs the use of other sorts of office technology – including document scanners – is that health care providers (covered entities in HIPAA-speak) and their business associates must have policies and procedures in place to maintain the privacy and security of the physical documents containing PHI that are copied or scanned, the integrity of the information once it is copied or scanned, and the integrity of the equipment itself – both to ensure that data isn’t left in the machine, and to ensure that the scans aren’t corrupted or made illegible as they are created.

Canon’s top-of-the-line production scanners do not include hard drives or flash drives, but some of their network scanners do have flash memory which is overwritten with each successive scan. The secret, of course, is that the last scan on such a machine needs to be overwritten before such a machine can be decommissioned by a covered entity or business associate. Determining the configuration of a scanner and planning for the purging, overwriting or destruction of PHI on any scanner memory needs to be part of any risk analysis.

It is easy to focus on the electronic data issues raised by tools such as scanners and copiers, but the truth is that, as noted above, integrating their use into the workflow of a covered entity or business associate requires thoughtful attention to what happens around it.

For example, if the material scanned is PHI (or personal information otherwise protected by other federal or state law), then at a minimum:

• Paper records that are scanned must be stored in a secure manner before and after scanning
• Scanning accuracy checks must be performed before disposing of original paper records
• File naming conventions and other data workflow rules must be observed religiously so that the scanned documents end up in the right place and are readily retrievable when needed
• Paper records must be disposed of in a HIPAA-compliant manner (remember: the HIPAA Omnibus Rule makes clear that shredding contractors are business associates under the law, which means that a covered entity contracting with a shredding service needs to be confident that the service knows its way around HIPAA compliance, and the shredding service needs to understand that it now has primary liability for any breach on its watch under the new rule)
• The scanned data must be protected using appropriate administrative, technical and physical tools designed to maintain its privacy and security

It’s a brave new world out there, but the technical and policy tools needed to navigate through it are available; regulated entities just need to remember to use them appropriately.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting