Easy Access to PHI-Who Knew! | Pete Rivera | Healthcare Blogs Skip to content Skip to navigation

Easy Access to PHI-Who Knew!

May 26, 2010
| Reprints

Who would have thought that copiers had hard drives and were storing your PHI? That's what a news investigator found and what most organizations are ignoring. We take for granted all the copiers being used at our business offices. Making copies of EOB’s, patient charts, and credit card information. We lock down are computers, encrypt our hard drives, and firewall our network. The piece that we are missing is a better understanding of what is going on inside the typical copier.

Apparently the newer copiers will keep the document in RAM and purge after a power cycle. But if you’re using the copier as a print server, then it gets cached in the hard drive. But wait; don’t run to your copier with a sledgehammer yet! The problem I ran into when trying to verify the technology behind some of these very broad claims, was that each machine uses different technologies, software, and security methods. Even within the same vendor it can have different methods of storage depending on the model and use.

So right now the best approach is to check with your vendor to find out how your particular make/model is handling document storage. What is the capacity and is it encrypted? Most importantly, review your lease agreement and make sure there is a clause that guarantees the destruction of any data once the copier is exchanged for a newer model. But, is this an IT function, HIPAA Privacy area, or individual department head responsibility?



Pete, Great post.

I'm coming to further appreciate the observations shared here:

Privacy is an illusion (Ellison)
You have zero privacy, Get Over It (McNealy)

Unintended and persistent PHI trails go beyond the copier of course. Many people do not act as though they understand that, for example, email has "all of the privacy of a postcard and all of the persistence of styrofoam."

Unlike styrofoam postcards, email, storage networks and embedded device storage like your copier (and cell phones digital cameras, surveillance systems, etc) are not only searchable, people will search them, if only looking for other unrelated things.

As Google has established with scanning books, and Apple has established with integrated face-recognition, searching by content is readily available and proactively done for us, for free and prior to our request, without our asking. The technological implications for privacy make airtight compliance a predicament.