Gearing Up for HIPAA Compliance Audits in IT, Part 5: Printer Log Management

Cleaning PHI from your copier and printer hard drivesI know one of the biggest concerns that HIPAA-Covered Entities may have right now – aside from the HIPAA audit itself – is how to ensure that PHI (protected health information) isn’t stolen or stored in a manner that doesn’t comply with the law.

As I continue my series on how to prepare for a HIPAA audit, I’ve invited John Sedlak, our manager of network and managed print services, to explain what you can do to protect PHI that may exist in the logs on your copiers and printers.

There are two ways to handle multi-function printer logs: proactively and reactively. Obviously, being proactive is always better, but sometimes you just need to know how to implement a fix after the fact, especially if an audit is in the works.

The proactive approach to handling electronic PHI:

If you’re going to purchase a new printer or copier, ask for a data security overwrite kit. Some dealers will automatically include this and others offer it as an option.

The overwrite kit “writes zeroes.” What that means is, each time you scan, print, copy or fax information, the application will scrub the hard drive (temp files), replacing that document’s associated binary code (ones and zeroes) with all zeroes, effectively erasing the document from the system’s memory.

If an auditor is looking at this feature (and you can be pretty sure they will), you’ll need to show them proof of purchase, along with a print-out of your system’s configuration page that shows how the overwrite kit works.

The reactive approach to handling electronic PHI:

If your multi-function printer does not have an overwrite kit, you are leaving yourself somewhat vulnerable. Although it’s not easy to steal the information from the copier’s hard drive (crooks need special forensic software to interpret the data), you still want to make sure sensitive information is protected and/or truly deleted. In fact, you’ll probably need to prove this, which requires “hard drive sanitization.”

When you’re ready to get rid of a printer or copier, take it to a facility (hopefully, your dealer provides this service) where they follow strict guidelines for “scrubbing” hard drives properly. Then, be sure you get a letter or certificate of sanitization from the facility that clearly documents this. When the auditor asks, you can show them this proof.

If your office is located in Northeast Ohio (Canton, Akron, Youngstown and beyond) or Western Pennsylvania and would like to learn more about the data overwrite kits and hard drive sanitization services we offer, contact us for more information.