By:  Alaap Shah

Most health care companies are aware of their central repositories of electronic protected health information (“e-PHI”).  Unfortunately, e-PHI often leaks out of central repositories and exists in a variety of “hidden” places.  This data leakage can create real headaches for health care companies, and can lead to violations of privacy and security laws.

Recently, the Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) enforced against a health plan that failed to erase e-PHI from its photocopiers which were sold to a third party.  The third party discovered the PHI and notified the health plan, who in turn reported the breach to HHS.  The settlement included paying a resolution amount of $1,215,780 as well as a 120-day corrective action period requiring retrieval of photocopier hard drives, conducting a risk analysis of all health plan devices containing e-PHI, and developing a plan to mitigate the identified risks.  Failure of health plan to comply with the corrective action plan could result in further civil monetary penalties.

This enforcement effort by OCR raises a number of issues with regard to data leakage, and now OCR encourages all HIPAA covered entities and their business associates to safeguard sensitive data stored on digital devices.  To assist health care organizations, OCR also posted two guides on its website:

(1)   a National Institute of Standards and Technology guide on cleaning up digital storage media; and

(2)   an FTC guide on safeguarding sensitive data stored on copying machines.

Where Does e-PHI Reside?

For health care providers, e-PHI typically resides in electronic health records and billing systems. For health care insurers, e-PHI typically resides in claims processing databases.  Companies are usually aware of these central repositories of e-PHI and are vigilant to implement security safeguards to protecting the privacy of patient information in those central repositories.  By contrast, few health care companies are fully aware of all the places e-PHI may flow through digital systems.

The type of information that can leak out of central repositories can include sensitive individually identifiable information such as social security numbers, birth certificates, bank records, income tax forms, among others.  As such, these “hidden” e-PHI repositories can be a treasure trove of information for identity thieves.


To fully appreciate the data leakage problem, health care companies must first take stock of all the digital devices used within their organizations.  Here are some common, but disconcerting, places e-PHI may end up:

  • Smartphones
  • Tablets
  • Photocopiers
  • Laptops
  • USB devices
  • CDs and DVDs
  • Digital cameras
  • Email archives
  • Local computer hard drives
  • External hard drives
  • Digital video surveillance recordings
  • Cloud storage solutions
  • Mobile application databases
  • Digital dictation recordings

The list goes on, and will likely increase as technology transforms health care.  Fortunately, technical solutions exist that can help ferret out where this sensitive data resides.  Such solutions should be used to shed light on where e-PHI may be hiding.

Once, an organization recognizes the possible places e-PHI may reside, a risk analysis should be performed to determine the risk associated with those “hidden” repositories.

  • Does your organization have a sufficient “bring your own device” policy in place to ensure e-PHI does not commingle with an employee’s personal applications or accounts?
  • Does your organization monitor data accessed or copied by third party vendors servicing photocopiers?
  • Does your organization adequately sanitize digital devices before reuse or resale?
  • Does your organization prohibit users from syncing digital device contents with personal cloud backup solutions?

These are only a few questions to ask among many others when assessing risks.  Then comes the difficult part; determining “reasonable and appropriate” mitigating controls.

  • Can I employ encryption on the digital devices?
  • Do I need to revise policies and procedures?
  • Do I need to retrain employees on appropriate usage?
  • What other technical, administrative or physical safeguards can I use to manage these risks?

If your organization has not adequately addressing these issues, it is likely e-PHI resides somewhere other than central repositories and it is also likely adequate safeguards are not implemented.  This suggests your organization may not be complying with HIPAA privacy and security rules.  Further, it is only a matter of time until your organization will suffer a breach and all the financial and reputational damage associated with follow-on breach notification, government enforcement and private litigation.

To avoid these pitfalls, organizations should conduct a full and thorough risk analysis around all systems that could potentially contain e-PHI.

Follow me on Twitter: @HealthITLawyers

Back to Health Law Advisor Blog

Search This Blog

Blog Editors


Related Services



Jump to Page


Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.