Follow this 8-step plan to HIPAA-proof your copy machine. Just think ... with each copy you make of a document, you could be falling deeper and deeper into a HIPAA hidden trap. If you're using a digital office copier in your work place, each copy you make could add up to thousands of confidential health records inside the machine's memory. The basics: Many modern copiers are networked digital multi-taskers, capable of printing, copying, scanning, faxing, etc. To achieve this productivity, these multi-functional devices (MFDs) are equipped with memory and/or a hard drive, similar to your PC, says Vince Janelli, senior manager of solutions marketing for Sharp Electronics. Warning: As a result of the vast amount of data that can be stored inside these copiers, information lingers long after a copying or printing job is completed. "When these devices move from one department to another - or they're either returned when their lease expires or sent offsite for repair or upgrade -- confidential information moves with [them]," notes Janelli. Take action: These steps will help you safeguard your patients' protected health information: 1. Implement a feature that requires users to stand at the copier and enter a PIN code to allow confidential documents to print. 2. Restrict access to the device by securing the copier's network interface. 3. Install on your digital printer an option designed to digitally "shred" information after every copy, print, scan or fax job. 4. In general, implement physical security commensurate with that for other e-PHI storing or transmitting systems. 5. Strictly observe media controls, and don't let vendors with maintenance contracts remove the disks. They should be wiped clean by internal personnel prior to release to vendors. 6. If the device moves scanned, copied or faxed data to a network share for later retrieval by the end-user, or if end-users directly connect to the MFD to retrieve data, ensure that the data is securely transmitted and stored. 7. Validate vendors' security claims. "We've found that the marketing specs commonly are not correct in terms of security. Some vendors just haven't given security a second thought," notes Fred Langston, senior principal consultant with Guardent in Seattle. 8. Assess the operating system patching and maintenance procedure for the device.