Imagine that your healthcare organization received a bill for $1,215,780 with regard to a single photocopier.
"How could this be?" You would likely ask yourself. Did the staff copy onto sheets of pure gold leaf instead of paper? Did the copier roll through a floor-to-ceiling window 10-floors up and land on a McLaren Senna race car (MSRP: $956k) parked in the lot below? What could one healthcare organization have done with a photocopier that cost them so much money? As it turns out, it was what a healthcare organization didn't do—wipe the hard drive at the end of their equipment lease. According to a 2013 report by Healthcare IT News, said healthcare organization settled with the U.S. Department of Health to the tune of $1,215,780 after CBS Evening News obtained one of the organization's formally-leased photocopiers. The news outfit discovered the (not-so) protected health information (PHI) of around 344,579 individuals on the copier's hard drive. This discovery was a very clean-cut violation of the Health Information Technology for Economic Clinical Health (HITECH) Act. $1,215,780—and that doesn’t even include court costs. (Or toner, but I digress.)
What is the "HITECH" Act?
Included in the American Recovery and Reinvestment Act (ARRA) of 2009, the Health Information Technology for Economic Clinical Health (HITECH) Act was originally designed as a stimulus plan to motivate healthcare providers to use electronic health record (EHR) systems. Financial incentives were granted to healthcare organizations that agreed to move to an electronic record-keeping system. The act extended HIPAA requirements for protected health information (PHI), including penalties for healthcare entities displaying "willful neglect” of productive requirements.
What is meant by "willful neglect"?
"Willful neglect" in regards to the HITECH Act's definition is still mainly decided on a case-by-case basis, but can be used to describe healthcare organizations that have not:
- Educated themselves on the HITECH Act
- Remained up-to-date on HITECH Act requirements
- Performed risk assessments to gauge their PHI breach vulnerability
- Appointed required data security and privacy officers
- Properly trained staff members on HIPAA and HITECH protocols to prevent the misuse of PHI
These are just a handful of instances constituting "willful neglect"—most of which whose fines start at around $50,000 per violation.
Leasing Company vs. Local Vendor vs. Healthcare Organization Responsibility
At this point, you may be wondering, "Isn't this device security the responsibility of my leasing company or local service provider? Shouldn't they adequately wipe the hard drive upon return?"
"Not so fast."
Though associated businesses working with your healthcare organization may face penalties for not correctly handling discovered data or reporting such breaches, this doesn't mean you're off the hook. A leasing company or vendor’s device protocols, features, and settings may help facilitate your healthcare organization's compliance with HIPAA protocols—still, the responsibility of the data ultimately falls on your organization.
Diligence Over Dismay
If you're shaking in your scrubs over the thought of getting sued for a breached copier hard drive, you can calm down a bit—you're likely not a vendor's first healthcare-related client. Also, most modern copier or MFD equipment manufacturers build default hard drive wiping protocols into the features of their models that meet the standards and most times exceed that of the United States Department of Defense. With this being said, your organization needs to remain up-to-date on the most recent HITECH Act and HIPAA rules and decide which steps you'd like to establish with your devices and vendor to take. Some organizations find that they are content with default hard drive overwriting protocols. Others may prefer to receive the physical hard drive before returning the equipment to the leasing company. Most leasing companies will respect your organization's security preferences.