Gearing Up for HIPAA Compliance Audits in IT, Part 4: Technical Controls
It’s almost the end of April. By now, all HIPAA-Covered Entities should at least be toying with the idea of starting a security risk analysis (required by law) in preparation for a compliance audit. Eventually, the U.S. Department of Health & Human Services and its Office for Civil Rights (OCR) will get to you.
In my ongoing blog series about this complex topic, I am focusing a good bit on the responsibilities of Business Associates as defined by HIPAA and HITECH because that is our biggest area of concern at Graphic Enterprises. Our office equipment – including many different models of Konica Minolta printers and copiers, as well as associated electronic document management systems – is hard at work in many health care offices throughout Ohio and Pennsylvania; documents containing PHI (protected health information) are scanned, printed, faxed and emailed every day. And, I expect to hear from those offices in the coming months, asking us to provide detailed information about how our office equipment meets the requirements of the Security Rule.
Whether you currently use a multi-function printer or copier – or are in the process of looking for a new one – as a HIPAA-covered entity you should work closely with your vendor or dealer to make sure your equipment has these critical security features:
- Access control, either device-based or network-based. This ensures that only the people who should be looking at PHI will have access to PHI in electronic or paper format.
- Automatic logoff, which ensures that every user is logged off soon after using the printer, minimizing accidental or intentional viewing of PHI.
- Authentication via login at the operation panel or with a smartcard, HID card or biometrics.
- Emergency access to data for situations where systems crash or PHI has been breached.
- Audit logging, so you can follow the trail of all PHI that has passed through the printer.
- Encryption to minimize PHI breaches.
- Integrity so that you can be certain that PHI and other information is complete, accurate, valid, etc.
In some cases, your office equipment may already have these features built in, so all you have to do is make sure they are all “turned on” and functioning properly. If your copier or printer does not provide these safeguards, it’s time to look for a new model. Medical offices in Canton, North Canton, Akron, Youngstown and beyond are welcome to contact us for help with office equipment security features.