The Health Insurance Portability and Accessibility Act (HIPAA) is a requirement set forth by the US Department of Health and Human Services. The Act defines printers, faxes, copiers, multifunction printers or any other electronic devices that print or store data as “workstations.” Workstations, as defined by HIPAA, are required to be secured and maintained in accordance with HIPAA requirements. Printers can present some of the biggest threats to medical facilities ranging from doctors’ offices, dentists, pharmacies, even chiropractors. Making sure that your printers and copiers are HIPAA-compliant is a law, and violations are subject to fines of up to $1.5 million. In today’s fast-moving high tech environment, printers are prime targets for security breaches. Cyberattacks are becoming more prevalent, and extra effort is required to keep printers and their networks safe. A Hewlett-Packard study found that 90 percent of enterprises have experienced a security breach related to printers.

What makes a printer HIPAA compliant?

Several companies manufacture HIPAA-compliant printers, but in most cases they don’t meet all of the requirements with factory default settings. Small desktop printers on a worker’s desk are basically compliant because they don’t store data after it’s printed and is secured and set up to be used by a limited number of people. Printers such as these don’t have a hard drive like the larger freestanding or multifunctional printers (MFP). Multifunctional printers, like computers, have a hard drive that stores images of the documents they print, so they require special settings, handling, and maintenance.

  1. For an MFP to be approved for hipaa compliant printing, it must be in a secure location not easily accessible to anyone not authorized to use it.
  2. Printers that have hard drives require special security maintenance. Because the hard drive stores printed data, it must be wiped clean periodically. Also, it’s imperative that the drive is cleaned before you dispose of it.
  3. Printers must have a feature that allows someone to send a document to print, yet remain in a queue. It will print out only after the authorized person keys in a code or PIN. This prevents printed documents from sitting unattended in an output tray.
  4. Printers should ideally have an automatic log-off feature after someone enters a PIN and completes the print job.
  5. All personal health information (PHI) is required to be encrypted using SSL encryption protocol, and the network handling the data must also be secured.
  6. Documents should be monitored and tracked from the time they’re sent to the printer until they’re retrieved.

All of these protocols should be part of an overall PHI protection protocol compliant with HIPAA regulations, but they’re not effective unless personnel are trained on their proper use and understand the overall facility information security plan. Often, employees are the weakest link in the security chain, so they must be trained on how printed personal data relates to HIPAA. Although the MFPs have features that help comply with HIPAA, the individuals using the printer must be trained on its use and settings. They’re also responsible for staying current on all updates to the HIPAA guidelines that affect all electronic devices.

Which printers?

Most major MFP manufacturers offer models that are HIPAA-compliant or have the capability of being HIPAA-compliant once they’re set up and configured properly. Manufacturers such as Xerox and Hewlett-Packard, and possibly others, market MFPs that are specifically developed for use in medical environments. However, manufacturers such as Brother, Ricoh, Minolta, Hughes, and Epson all have models that can be set up to be secure and safeguard PHI.