Recently, the Department of Health and Human Services released a pre-publication version of the final Omnibus HIPAA rule (the Final Rule). Among the nearly 600 page rule, there was a short section about MFPs. From the update:
“RULES THAT PERTAIN TO COPIERS, MFDs, FAXING, PRINTERS with HDs: In response to commenters’ concerns that photocopiers, facsimiles, and other office machines may retain electronic data, potentially storing protected health information when used by covered entities or business associates, we clarify that protected health information stored, whether intentionally or not, in photocopier, facsimile, and other devices is subject to the Privacy and Security Rules.
“Although such devices are not generally relied upon for storage and access to stored information, covered entities and business associates should be aware of the capabilities of these devices to store protected health information and must ensure any protected health information stored on such devices is appropriately protected and secured from inappropriate access, such as by monitoring or restricting physical access to a photocopier or a fax machine that is used for copying or sending protected health information.
“Further, before removal of the device from the covered entity or business associate, such as at the end of the lease term for a photocopier machine, proper safeguards should be followed to remove the electronic protected health information from the media.”
Although fax machines and MFP are not made to permanently store information, some information is retained as part of their design (for transmission purposes). Protected Healthcare Information (PHI) may incidentally be stored in the form of a confirmation page or transmission report. If there is a device that is being discarded, coming off lease or sold, make sure that the hard drives are either removed or wiped clean, removing all PHI and freeing you from liability.
While MFPs and fax machines are not designed to permanently store information, as a part of their design, some information is retained. With respect to fax, Protected Healthcare Information (PHI) may be stored in a confirmation page or transmission report. In addition, when MFPs and fax machines come off a lease, the hard drives which store PHI must be wiped clean or removed completely.
RightFax faxing is done with a fax server, and when integrated with an MFP, RightFax controls all faxing functionality, so no PHI is stored on the MFP.