Call:  (407) 331-6620 or (850) 439-1001
Toll-free:  (888) 331-6620 
Pay Online
Subscribe To Our Monthly Newsletter

Seven Things To Know When You Receive A Notice Of Investigation From The Department Of Health

Download Free Copy

It Pays to Know What Your Equipment Knows

Healthcare providers and facilities need to identify which devices may pose a breach risk and implement policies and procedures to protect against a breach of PHI.

By Michael L. Smith, R.R.T., J.D.

(August 28, 2013) – Healthcare providers and facilities need to reassess all the locations where they electronically store Protected Health Information (PHI). The electronic medical record is not the only location that stores PHI. Numerous devices used in the administrative and clinical setting may also store PHI. Devices that store PHI pose a risk of a breach of that information unless adequate safeguards are implemented to protect that PHI. Healthcare providers and facilities need to identify which devices may pose a breach risk and implement policies and procedures to protect against a breach of PHI.

The Department of Health and Human Services Office of Civil Rights (OCR) recently announced a $1,215,780 settlement with Affinity Health Plan, Inc. based upon a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Affinity returned several leased copy machines without erasing the hard drives on those machines. The hard drives on those copy machines retained the PHI of Affinity’s patients. At least one of the machines was acquired by CBS, which found the PHI on the hard drive. Affinity estimated that as many as 344,579 individuals may have had their PHI compromised by the breach. As part of the settlement with OCR, Affinity must attempt to locate the hard drives of the previously leased copy machines and secure or destroy any PHI on those hard drives.

The need for a HIPAA risk assessment was a topic of a previous column. The OCR investigation of Affinity revealed that Affinity’s risk assessment failed to include protected health information stored on copy machine hard drives. No doubt, other healthcare providers and facilities have not considered all the possible devices that may store PHI in addition to the electronic medical record. Other healthcare providers and facilities should carefully examine their own HIPAA risk assessments to determine if they include some of the less obvious places PHI may be stored.

The HIPAA risk assessment requires healthcare providers and facilities to assess both their threats but also their vulnerabilities with regards to PHI. Most healthcare providers and facilities are good at identifying the outside threats and most also identify their computers and the electronic medical record as possible vulnerabilities. Many healthcare providers and facilities may not have identified their office and clinical equipment as possible vulnerabilities in their HIPAA risk assessments.

Healthcare providers and facilities must examine all their office equipment and clinical equipment and determine if any of that equipment stores confidential information. Some fax machines store information so sending protected health information with one of those machines could be a potential cause of a HIPAA breach unless appropriate safeguards are implemented. Smart phones also store information and are regularly used to convey protected health information. Yale University recommends that anyone using a smart phone to send or receive protected health information should also use a remote wipe application to remove the PHI.

Even simple clinical equipment may store or transmit PHI. Every piece of clinical equipment must be examined to determine if it stores protected health information. Healthcare providers and facilities need to have a policy and procedure in place to secure or destroy any protected health information stored on any clinical equipment while the equipment is in use and when the equipment is taken out of service.

Healthcare providers and facilities should reexamine their HIPAA risk assessments to ensure that all possible storage locations for PHI on office and clinical equipment are identified in the risk assessment. Healthcare providers and facilities should also ensure that policies and procedures are in place to protect or destroy that information while the equipment is in use and when the equipment is removed from service.


Michael L. Smith, JD, RRT is board certified in health law by The Florida Bar and practices at The Health Law Firm in Altamonte Springs, Fla. This article is for general information only and is not a substitute for formal legal advice.

This article was originally published in Advance for Respiratory Care and Sleep Medicine.

Main Office • 1101 Douglas Avenue, Suite 1000, Altamonte Springs, FL, 32714
By Appointment • 37 N. Orange Ave., Suite 500, Orlando, FL 32801
By Appointment • 201 E. Government St., Pensacola, FL 32502 Telephone: (407) 331-6620(850) 439-1001 Telefax: (407) 331-3030

Medicare/Medicaid Audits, Health Care Law, Contracts, Hospital Privileges Hearings, Investigations, DEA Defense, Board of Medicine Defense, Fraud Defense, Administrative Hearings, PRN, IPN, Professional Licensing, Medicare/Medicaid Fraud Defense, Nursing Law, Compliance Plans, Hospital Law, Board of Dentistry, Board of Nursing, Board of Pharmacy, Board of Psychology, White Collar Crime, Pain Management and Pain Medicine Physician Defense, Pain Management Clinic Defense, Zone Program Integrity Contractor (ZPIC) Audit Defense, Recovery Audit Contractor (RAC) Audit Defense, Medicaid Fraud Control Unit (MFCU) Defense, Search Warrant and Subpoena Defense, Board of Psychology Defense, NBME Representation, U.S.M.L.E. Challenges, ABIM Representation, Medical Exam Cheating Defense…and more

Available in the following Florida cities and counties: Daytona Beach, Fort Lauderdale, Gainesville, Jacksonville, Key West, Melbourne, Miami, Ocala, Orlando, Pensacola, Panama City, Sarasota, St. Petersburg, Tallahassee, Tampa, West Palm Beach, Alachua, Baker, Bay, Bradford, Brevard, Broward, Calhoun, Charlotte, Citrus, Clay, Collier, Columbia, Dade, De Soto, Dixie, Duval, Escambia, Flagler, Franklin, Gadsden, Gilchrist, Glades, Gulf, Hamilton, Hardee, Hendry, Hernando, Highlands, Hillsborough, Holmes, Indian River, Jackson, Jefferson, Lafayette, Lake, Lee, Leon, Levy, Liberty, Madison, Manatee, Marion, Martin, Monroe, Nassau, Okaloosa, Okeechobee, Orange, Osceloa, Palm Beach, Pasco, Pinellas, Polk, Putnam, St. Johns, St. Lucie, Santa Rosa, Sarasota, Seminole, Sumter, Suwannee, Taylor, Union, Volusia, Wakulla, Walton, and Washington

By making this website information available for those who access it does not constitute doing business in or having a presence in any state or jurisdiction, nor does it constitute an advertisement sent to or a solicitation made in any state or jurisdiction. This firm is located in and maintains a presence in only those states where the firm maintains an actual physical office. Its attorneys are only admitted to practice in those states specifically listed on their resumes.

Available in the following states*: Alabama, Alaska, Arizona, Arkansas, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Washington, West Virginia, Wisconsin, and Wyoming

Disclaimer | Terms of Representation

The Health Law Firm logo shown above is a registered Service Mark of George F. Indest III, P.A. – The Health Law Firm, since 2007.

“The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999. Copyright © 2024 The Health Law Firm. All rights reserved.