By:  Alaap Shah

Most health care companies are aware of their central repositories of electronic protected health information (“e-PHI”).  Unfortunately, e-PHI often leaks out of central repositories and exists in a variety of “hidden” places.  This data leakage can create real headaches for health care companies, and can lead to violations of privacy and security laws.

Recently, the Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) enforced against a health plan that failed to erase e-PHI from its photocopiers which were sold to a third party.  The third party discovered the PHI and notified the health plan, who in turn reported the breach to HHS.  The settlement included paying a resolution amount of $1,215,780 as well as a 120-day corrective action period requiring retrieval of photocopier hard drives, conducting a risk analysis of all health plan devices containing e-PHI, and developing a plan to mitigate the identified risks.  Failure of health plan to comply with the corrective action plan could result in further civil monetary penalties.

This enforcement effort by OCR raises a number of issues with regard to data leakage, and now OCR encourages all HIPAA covered entities and their business associates to safeguard sensitive data stored on digital devices.  To assist health care organizations, OCR also posted two guides on its website:

(1)   a National Institute of Standards and Technology guide on cleaning up digital storage media; and

(2)   an FTC guide on safeguarding sensitive data stored on copying machines.

Where Does e-PHI Reside?

For health care providers, e-PHI typically resides in electronic health records and billing systems. For health care insurers, e-PHI typically resides in claims processing databases.  Companies are usually aware of these central repositories of e-PHI and are vigilant to implement security safeguards to protecting the privacy of patient information in those central repositories.  By contrast, few health care companies are fully aware of all the places e-PHI may flow through digital systems.

The type of information that can leak out of central repositories can include sensitive individually identifiable information such as social security numbers, birth certificates, bank records, income tax forms, among others.  As such, these “hidden” e-PHI repositories can be a treasure trove of information for identity thieves.


To fully appreciate the data leakage problem, health care companies must first take stock of all the digital devices used within their organizations.  Here are some common, but disconcerting, places e-PHI may end up:

  • Smartphones
  • Tablets
  • Photocopiers
  • Laptops
  • USB devices
  • CDs and DVDs
  • Digital cameras
  • Email archives
  • Local computer hard drives
  • External hard drives
  • Digital video surveillance recordings
  • Cloud storage solutions
  • Mobile application databases
  • Digital dictation recordings

The list goes on, and will likely increase as technology transforms health care.  Fortunately, technical solutions exist that can help ferret out where this sensitive data resides.  Such solutions should be used to shed light on where e-PHI may be hiding.

Once, an organization recognizes the possible places e-PHI may reside, a risk analysis should be performed to determine the risk associated with those “hidden” repositories.

  • Does your organization have a sufficient “bring your own device” policy in place to ensure e-PHI does not commingle with an employee’s personal applications or accounts?
  • Does your organization monitor data accessed or copied by third party vendors servicing photocopiers?
  • Does your organization adequately sanitize digital devices before reuse or resale?
  • Does your organization prohibit users from syncing digital device contents with personal cloud backup solutions?

These are only a few questions to ask among many others when assessing risks.  Then comes the difficult part; determining “reasonable and appropriate” mitigating controls.

  • Can I employ encryption on the digital devices?
  • Do I need to revise policies and procedures?
  • Do I need to retrain employees on appropriate usage?
  • What other technical, administrative or physical safeguards can I use to manage these risks?

If your organization has not adequately addressing these issues, it is likely e-PHI resides somewhere other than central repositories and it is also likely adequate safeguards are not implemented.  This suggests your organization may not be complying with HIPAA privacy and security rules.  Further, it is only a matter of time until your organization will suffer a breach and all the financial and reputational damage associated with follow-on breach notification, government enforcement and private litigation.

To avoid these pitfalls, organizations should conduct a full and thorough risk analysis around all systems that could potentially contain e-PHI.

Follow me on Twitter: @HealthITLawyers