Know the Law: Remove Protected Health Information

January 6, 2014

Published in the Union Leader

Q. My company’s clients are health care providers and is considered a “business associate” under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). What do I need to do to make sure our leased photocopiers do not retain protected health information when our lease expires?

A: You are right to be mindful of your obligation to make sure your clients’ information is not inadvertently left on this leased equipment. Recently, Affinity Health Plan, Inc. settled violations of the HIPAA Privacy and Security Rules with the U.S. Department of Health and Human Services for $1,215,780 because it did not erase protected health information (“PHI”) contained on the hard drives of photocopiers before returning them. Investigations revealed that this failure resulted in the improper disclosure of 344,579 individuals’ PHI. Furthermore, Affinity had not included the electronic PHI stored on the photocopiers’ hard drives in its risk analysis, and failed to implement policies and procedures to follow when returning the photocopiers to leasing agents. Making this an even more embarrassing event for Affinity was the fact that it learned of the improper disclosure from a representative at CBS Evening News, who, as part of an investigatory report, had purchased a photocopier previously leased by Affinity.

It is perhaps easy to overlook that photocopiers and other digital office equipment, such as scanners and fax machines, can retain electronic PHI since so much focus is given to protecting information on laptops and smartphones. Affinity’s settlement should serve as a warning to covered entities and business associates to update their HIPAA privacy and security policies to ensure that PHI stored on a comprehensive list of equipment is properly safeguarded.

You should make sure that all PHI (and other personal information) is completely wiped from this type of equipment before it is either returned to leasing agents, recycled, or discarded. Involve a competent information technology professional when decommissioning photocopiers to ensure that the hard drive is either removed or cleared of all PHI. Your business may also want to adopt policies that limit the types or number of devices that are exposed to PHI.

Finally, involving an IT professional before entering into a leasing arrangement so that you fully understand the storage capabilities and options for protecting confidential information used in your company’s business can also help you make the best comprehensive decision for protecting your client’s information throughout the lifecycle of the photocopiers.

Kara can be reached at

Know the Law is a bi-weekly column sponsored by The McLane Law Firm.
We invite your questions of business law. Questions and ideas for future columns should be addressed to: Know the Law, The McLane Law Firm, P.O. Box 888, Manchester, NH 03101 or emailed to Know the Law provides general legal information, not legal advice. We recommend that you consult a lawyer for guidance specific to your particular situation.