Recently, the Department of Health and Human Services released an Omnibus HIPAA update. Among the 570+ pages, there was a short, but interesting section about MFPs. From the update:
“RULES THAT PERTAIN TO COPIERS, MFDs, FAXING, PRINTERS with HDs: In response to commenters’ concerns that photocopiers, facsimiles, and other office machines may retain electronic data, potentially storing protected health information when used by covered entities or business associates, we clarify that protected health information stored, whether intentionally or not, in photocopier, facsimile, and other devices is subject to the Privacy and Security Rules.
“Although such devices are not generally relied upon for storage and access to stored information, covered entities and business associates should be aware of the capabilities of these devices to store protected health information and must ensure any protected health information stored on such devices is appropriately protected and secured from inappropriate access, such as by monitoring or restricting physical access to a photocopier or a fax machine that is used for copying or sending protected health information.
“Further, before removal of the device from the covered entity or business associate, such as at the end of the lease term for a photocopier machine, proper safeguards should be followed to remove the electronic protected health information from the media.”
I found it interesting that while MFPs and fax machines are not designed to permanently store information, as a part of their design, some information is retained. With respect to fax, Protected Healthcare Information (PHI) may be incidentally stored in a confirmation page or transmission report. In addition, when MFPs and fax machines come off a lease, the hard drives which store PHI must be scrubbed clean or removed completely.
One way OpenText fax products can help customers achieve HIPAA compliance under the updated rules is to ensure all faxing is done with a fax server or fax appliance. When integrated with an MFP, OpenText fax products control all faxing functionality, so no PHI is stored on the MFP.
Click to learn more about OpenText MFP Integrations.
For a good summary of the new changes to HIPAA, I suggest this blog from Daniel Solove, John Marshall Harlan Research Professor of Law at George Washington University Law School.
