Share this article on:
A fax machine used by a physician at Grand Rapids, MI, based Spectrum Health System was recently discovered to contain the PHI of around 20 patients. The fax machine was purchased from resale shop by a local resident, who discovered documents were still stored in the memory of the machine.
When attempting to print off a fax transmission report, the device started printing documents containing sensitive patient information such as names, addresses, dates of birth, details of dependents, diagnoses, test results, and insurance information.
The incident was brought to the attention of Wood TV’s Target 8 team, which investigated and traced the device to Spectrum Health’s Dr. Wendy Zink.
Spectrum Health was contacted about the breach and Chief Privacy Officer Leah Voigt confirmed that all electronic equipment containing ePHI is sent to a business associate that ensures ePHI on the devices is permanently erased in accordance with HIPAA Rules. Spectrum Health has certification to prove that was the case and that the vendor also confirmed data had been permanently destroyed. The fax machine has since been recovered by Spectrum Health and all copies of PHI have been permanently destroyed. The privacy violation is being viewed as an anomaly.
HIPAA and Electronic Media Containing ePHI
The HIPAA Security Rule – 45 CFR 164.310(d)(1) – requires HIPAA covered entities to implement policies governing the removal of hardware containing electronic protected health information from their facilities, and the movement of those devices within their facilities.
The standard naturally applies to portable storage devices such as zip drives, hard drives, and laptop computers, but it also applies to digital photocopiers, printers, scanners, and faxes. Digital photocopiers, printers, scanners, and faxes often store electronic copies of documents that have been copied or transmitted.
Movement of those devices must therefore be controlled and technical safeguards implemented to prevent any electronic protected health information in stored documents from being viewed by unauthorized individuals.
As well as controlling the movement and keeping track of those devices, covered entities must ensure that when the devices are no longer required, any data stored on hard drives, or in the memory, are permanently erased.
HIPAA Rules on Disposal of PHI
45 CFR 164.310(d)(2)(i) and (ii) cover the disposal of electronic equipment, which require policies and procedures to be developed and implemented to address the final disposition of ePHI, and the media on which it is stored. ePHI must be removed from electronic devices before they are re-used, scrapped, or recycled.
Prior to disposing of electronic media, all ePHI on the devices must be rendered unreadable, indecipherable, and incapable of being reconstructed. OCR suggests “clearing (using software or hardware products to overwrite media with non-sensitive data) or purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains) the information from the electronic media.”
If a covered entity is unable to perform these actions, a vendor can be used. That vendor would naturally be a business associate, and a HIPAA-compliant business associate agreement would need to be signed by both parties before any devices are handed over.
The failure to remove ePHI prior to disposal is a violation of HIPAA Rules, and one that could potentially result in an impermissible disclosure of protected health information. It could also lead to a financial penalty for noncompliance with HIPAA Rules.