Call:  (407) 331-6620 or (850) 439-1001
Toll-free:  (888) 331-6620

It Pays to Know What Your Equipment Knows

Healthcare providers and facilities need to identify which devices may pose a breach risk and implement policies and procedures to protect against a breach of PHI.

By Michael L. Smith, R.R.T., J.D.

(August 28, 2013) – Healthcare providers and facilities need to reassess all the locations where they electronically store Protected Health Information (PHI). The electronic medical record is not the only location that stores PHI. Numerous devices used in the administrative and clinical setting may also store PHI. Devices that store PHI pose a risk of a breach of that information unless adequate safeguards are implemented to protect that PHI. Healthcare providers and facilities need to identify which devices may pose a breach risk and implement policies and procedures to protect against a breach of PHI.

The Department of Health and Human Services Office of Civil Rights (OCR) recently announced a $1,215,780 settlement with Affinity Health Plan, Inc. based upon a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Affinity returned several leased copy machines without erasing the hard drives on those machines. The hard drives on those copy machines retained the PHI of Affinity’s patients. At least one of the machines was acquired by CBS, which found the PHI on the hard drive. Affinity estimated that as many as 344,579 individuals may have had their PHI compromised by the breach. As part of the settlement with OCR, Affinity must attempt to locate the hard drives of the previously leased copy machines and secure or destroy any PHI on those hard drives.

The need for a HIPAA risk assessment was a topic of a previous column. The OCR investigation of Affinity revealed that Affinity’s risk assessment failed to include protected health information stored on copy machine hard drives. No doubt, other healthcare providers and facilities have not considered all the possible devices that may store PHI in addition to the electronic medical record. Other healthcare providers and facilities should carefully examine their own HIPAA risk assessments to determine if they include some of the less obvious places PHI may be stored.

The HIPAA risk assessment requires healthcare providers and facilities to assess both their threats but also their vulnerabilities with regards to PHI. Most healthcare providers and facilities are good at identifying the outside threats and most also identify their computers and the electronic medical record as possible vulnerabilities. Many healthcare providers and facilities may not have identified their office and clinical equipment as possible vulnerabilities in their HIPAA risk assessments.

Healthcare providers and facilities must examine all their office equipment and clinical equipment and determine if any of that equipment stores confidential information. Some fax machines store information so sending protected health information with one of those machines could be a potential cause of a HIPAA breach unless appropriate safeguards are implemented. Smart phones also store information and are regularly used to convey protected health information. Yale University recommends that anyone using a smart phone to send or receive protected health information should also use a remote wipe application to remove the PHI.

Even simple clinical equipment may store or transmit PHI. Every piece of clinical equipment must be examined to determine if it stores protected health information. Healthcare providers and facilities need to have a policy and procedure in place to secure or destroy any protected health information stored on any clinical equipment while the equipment is in use and when the equipment is taken out of service.

Healthcare providers and facilities should reexamine their HIPAA risk assessments to ensure that all possible storage locations for PHI on office and clinical equipment are identified in the risk assessment. Healthcare providers and facilities should also ensure that policies and procedures are in place to protect or destroy that information while the equipment is in use and when the equipment is removed from service.


Michael L. Smith, JD, RRT is board certified in health law by The Florida Bar and practices at The Health Law Firm in Altamonte Springs, Fla. This article is for general information only and is not a substitute for formal legal advice.

This article was originally published in Advance for Respiratory Care and Sleep Medicine.