Digital copiers and printers have the capability of storing information, including protected health information, on their hard drives. The failure to wipe the hard drives clean at the expiration of a lease or upon selling or recycling the equipment can expose a health care provider to significant liability under HIPAA. Recently, the US Department of Health and Human Services (HHS) announced its first HIPAA breach settlement resulting from a digital photocopier. HHS entered into a $1,215,780 settlement with Affinity Health Plan (“Affinity”) a not-for-profit managed care plan, for a potential HIPAA violation. HHS determined that Affinity failed to assess potential security risks and to implement an acceptable digital use policy related to the disposal of PHI maintained on photocopier hard drives.
Affinity returned photocopiers at the end of a lease without wiping the hard drives clean. As part of an investigative story, CBS purchased a copier previously leased by Affinity and uncovered PHI on the machine’s hard drive. A CBS Evening News representative contacted Affinity to inform it that PHI had been disclosed in violation of HIPAA. Affinity filed a breach report with HHS disclosing that it had impermissibly disclosed the PHI of up to 344,579 individuals after returning the leased photocopiers without wiping the hard drives clean.
An IT professional recently informed me that leased equipment often ends up at an auction and that there are individuals who purchase this equipment in bulk just for a chance of pulling useful data off the hard drives. A health care provider should make sure that all personal information is wiped from a photocopier or printer hard drive before it is recycled, thrown away or returned to a leasing company. Most leasing companies will wipe the hard drive clean or permit you to keep the hard drive for an additional fee. I recommend that you attempt to negotiate free wiping of the hard drives or the ability to keep the hard drive for no fee at the end of the lease. In addition, you should keep a list of the hard drive serial numbers for purposes of confirming destruction and that the hard drive has not been replaced during the term of the lease.