Who would have thought that copiers had hard drives and were storing your PHI? That's what a news investigator found and what most organizations are ignoring. We take for granted all the copiers being used at our business offices. Making copies of EOB’s, patient charts, and credit card information. We lock down are computers, encrypt our hard drives, and firewall our network. The piece that we are missing is a better understanding of what is going on inside the typical copier.
Apparently the newer copiers will keep the document in RAM and purge after a power cycle. But if you’re using the copier as a print server, then it gets cached in the hard drive. But wait; don’t run to your copier with a sledgehammer yet! The problem I ran into when trying to verify the technology behind some of these very broad claims, was that each machine uses different technologies, software, and security methods. Even within the same vendor it can have different methods of storage depending on the model and use.
So right now the best approach is to check with your vendor to find out how your particular make/model is handling document storage. What is the capacity and is it encrypted? Most importantly, review your lease agreement and make sure there is a clause that guarantees the destruction of any data once the copier is exchanged for a newer model. But, is this an IT function, HIPAA Privacy area, or individual department head responsibility?