The HIPAA/HITECH Omnibus Rule became effective just over one year ago. The compliance date was…
Sponsored by Canon U.S.A., Inc. “Canon’s extensive scanner product line enables businesses worldwide to capture, store and distribute information.” The ideas below are my own.
A recent HHS OCR HIPAA settlement with a New York area health plan seemed to come out of left field: A CBS news investigative reporting team bought a copier formerly leased by the health plan and found protected health information (PHI) of about 350,000 individuals on the copier’s hard drive. This led the health plan to self-disclose to the OIG, and to agree to a fine north of $1 million and a correction plan.
Clearly, HIPAA and related state privacy rules require that a health care entity wipe hard drives of all PHI, or destroy them – the rules require the use of a variety of administrative, technical and physical controls to keep personal health data private and secure. The health plan in this case fell down on the job; it hadn’t even included the copier hard drives in its required self-analysis of risks and vulnerabilities.
Another takeaway from this case that informs the use of other sorts of office technology – including document scanners – is that health care providers (covered entities in HIPAA-speak) and their business associates must have policies and procedures in place to maintain the privacy and security of the physical documents containing PHI that are copied or scanned, the integrity of the information once it is copied or scanned, and the integrity of the equipment itself – both to ensure that data isn’t left in the machine, and to ensure that the scans aren’t corrupted or made illegible as they are created.
Canon’s top-of-the-line production scanners do not include hard drives or flash drives, but some of their network scanners do have flash memory which is overwritten with each successive scan. The secret, of course, is that the last scan on such a machine needs to be overwritten before such a machine can be decommissioned by a covered entity or business associate. Determining the configuration of a scanner and planning for the purging, overwriting or destruction of PHI on any scanner memory needs to be part of any risk analysis.
It is easy to focus on the electronic data issues raised by tools such as scanners and copiers, but the truth is that, as noted above, integrating their use into the workflow of a covered entity or business associate requires thoughtful attention to what happens around it.
For example, if the material scanned is PHI (or personal information otherwise protected by other federal or state law), then at a minimum:
It’s a brave new world out there, but the technical and policy tools needed to navigate through it are available; regulated entities just need to remember to use them appropriately.
David Harlow
The Harlow Group LLC
Health Care Law and Consulting
Healthcare NOW Radio Podcast Network · Harlow on Healthcare
In this episode I speak with Ryne Natzke, Chief Revenue Officer of TrustCommerce, a Sphere…
Natalie Davis, CEO of United States of Care, returned to Harlow on Healthcare to discuss…
If the EHR is the system of record, then Lumeon is the system of action.…
Blockchain in healthcare? Well, it can solve some problems. Have a listen to my conversation…
Joel Diamond, Chief Medical Officer at 2bPrecise, speaks with me about bringing genetic testing information…