A fax machine used by a Doctor at Grand Rapids, MI, based Spectrum Health System was recently found to contain the PHI of almost 20 patients. The fax machine was bought from resale shop by a local, who found documents were still stored in the memory of the machine.
When trying to print off a fax transmission report, the device began printing documents holding sensitive patient information including names, addresses, dates of birth, details of dependents, diagnoses, test results, and insurance data.
The incident was reported of Wood TV’s Target 8 team, which looked into it and traced the fax machine to Spectrum Health’s Dr. Wendy Zink.
Spectrum Health was contacted about the violation and Chief Privacy Officer Leah Voigt confirmed that all electronic equipment storing ePHI is sent to a business associate that ensures ePHI on the devices is permanently destroyed in accordance with HIPAA Rules. Spectrum Health has certification to prove that was the case and that the vendor also confirmed data had been permanently erased. The fax machine has since been recovered by Spectrum Health and all copies of PHI have been permanently erased. The privacy breach is being treated as an anomaly.
The HIPAA Security Rule – 45 CFR 164.310(d)(1) – requires HIPAA covered organizations to implement policies governing the removal of hardware containing electronic protected health information from their offices, and the transfer of those devices within their facilities.
The standard applies to portable storage devices including zip drives, hard drives, and laptop computers, but it also applies to digital photocopiers, printers, scanners, and faxes. Digital photocopiers, printers, scanners, and faxes normally store electronic copies of documents that have been copied or sent.
Movement of those devices must always be controlled and technical safeguards put in place to stop any electronic protected health information in saved documents from being viewed by unauthorized people.
As well as controlling the movement and keeping a record of those devices, covered groups must ensure that when the devices are no longer needed, any data stored on hard drives, or in the memory, are permanently destroyed.
45 CFR 164.310(d)(2)(i) and (ii) cover the disposal of electronic equipment, which require policies and procedures to be formulated and adopted to address the final disposition of ePHI, and the media on which it is stored. ePHI must be erased from electronic devices before they are re-used, scrapped, or recycled.
Before disposing of electronic media, all ePHI on the devices must be made unreadable, indecipherable, and incapable of being put back together. OCR proposes “clearing (using software or hardware products to overwrite media with non-sensitive data) or purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains) the information from the electronic media.”
If a covered organization is unable to complete these actions, a vendor can be used. That vendor would have to be considered as a business associate and a HIPAA-compliant business associate agreement would need to be signed by both parties before any devices are given over.
The failure to erase ePHI before disposal is a breach of HIPAA Rules, and one that could possibly lead to an impermissible disclosure of protected health data. It could also result in a financial penalty for noncompliance with HIPAA Rules.
