A client called to my attention that a (seemingly) very HIPAA savvy patient she had recently seen refused to allow her to make a copy of his insurance information. His reason was that copiers store the information and he was concerned about our protecting the copier that holds his PHI. Do copiers indeed store PHI in their little brains?
YES! Photocopiers with hard drives DO store copies of each and every image it makes. You need to make sure you have a plan in place to destroy the PHI when you get rid of the copier/fax/whatever machine it is. This usually involves destroying the hard drive or at least wiping it clean.
The FTC has a wonderful, free guide on copier data security. See this page:
Usually with a multifunction copier hard drive it can be accessed and items printed from the keypad. If removed and not encrypted you can simply slave it to a computer and read the drive images directly. Along with the FTC document, NIST SP800-88 R1 (draft) Table A-4 speaks to copiers. It talks about how to purge, clear or destroy electronic media in equipment, which includes copiers. OCR calls out NIST 800-88 as an approved method for reuse or destruction.
Some copier companies offer encryption, others will destroy and give you a certificate of destruction. You will want to know how they destroy the drives and what protections they have for transport. Of course you always have the option to destroy yourself. I recommend you use a NSA certified destruction vendor. Depending on where you live there are companies that will come onsite and grind the drive to dust in your parking lot. I had over 1000 drives destroyed in this manner.