Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
14 ual.102 However, individually identifiable health information is information that â[i]s created or received by a health care provider, health plan, employer, or health care clearinghouse⦠(empha- sis added).â103 As with the definition of health in- formation, IIHI must relate âto the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individ- ualâ¦.â104 The terms âhealth informationâ and âindividu- ally identifiable health informationâ are part of HIPAAâs definition of PHI. Under HIPAA the term âprotected health informationâ or âPHIâ in- cludes individually identifiable health informa- tion that is: â(i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Trans- mitted or maintained in any other form or me- dium⦠(emphasis added).â105 The Security Rule requires covered entities and business associates to implement certain administrative, physical, and technical safeguards, discussed in Section VIII.C of this digest, to protect PHI that is trans- mitted or maintained in electronic form.106 The fact that some transit agencies have health information on their patrons, some of which may have been transmitted by covered entities as au- thorized by patrons, may explain why some tran- sit agencies have assumed that HIPAA applies to them. However, as discussed in Section VIII.B.1 of this digest, PHI may not be used or disclosed unless it comes within one of HIPAAâs permissive or mandatory uses or disclosures. It appears that of the possible permitted or mandatory uses or disclosures of PHI under HIPAA, the only ones that apply to a transit agency are when a patient or client obtains and provides the health informa- tion; a patient or client authorizes the disclosure 102 45 C.F.R. § 160.103 (2013) (subsections (2)(i) and (ii) of the definition of individually identifiable health information). 103 45 C.F.R. § 160.103 (2013) (subsection (1) of the definition of individually identifiable health informa- tion). 104 45 C.F.R. § 160.103 (2013) (subsection (2) of the definition of individually identifiable health informa- tion). 105 45 C.F.R. § 160.103 (2013) (subsection (1)(i)-(iii) of the definition of PHI) (except as provided in paragraph (2) of the definition of PHI). 106 45 C.F.R. parts 160 and Part 164, subparts A and C (2013); see also 78 Fed. Reg. 5567. of health information by a covered entity to a transit agency; or another law requires that PHI be disclosed by the covered entity or a business associate. Regardless of the applicability of HIPAA to transit agencies, some transit agencies have con- tracts that include a stipulation that the HIPAA rules apply to their contracts. As discussed in Sec- tions IX.C and IX.D, an example of when a cov- ered entity may be sharing PHI with a transit agency is when there is a coordinated transporta- tion services program for which a transit agency serves as a broker or business associate (or as a subcontractor of a business associate) to provide transportation for ADA, Medicare, or other quali- fied recipients. It appears that if a transit agency receives PHI from one or more covered entities then the transit agency may be subject to HIPAA, not because the transit agency meets the defini- tion of a business associate under HIPAA, but be- cause the agreement between a covered entity and a transit agency states that HIPAA applies. VIII. HIPAAâS PRIVACY AND SECURITY RULES A. Introduction The HIPAA regulations state that unless spe- cifically permitted by HIPAA a patient must au- thorize in writing any disclosures of PHI.107 Only specified covered entities are subject to HIPAA: health plans, health care clearinghouses, and health care providers. Business associates of cov- ered entities may create, receive, maintain, or transmit PHI on behalf of the covered entity for the purposes and functions (e.g., claims process- ing) identified in 45 C.F.R. § 160.103. HHS estimates that there are approximately 700,000 entities that qualify as covered entities, approxi- mately one to two million business associates of covered entities, and âan unknown number of sub- contractors.â108 B. The Privacy Rule HIPAAâs Privacy Rule is intended to prevent the unauthorized disclosure of PHI.109 Although the constitutionality of the Privacy Rule has been challenged on the grounds that it violates the First, Fourth, and Tenth Amendments to the Con- 107 45 C.F.R. §§ 164.502 and 164.508 (2013). 108 78 Fed. Reg. 5669. 109 45 C.F.R. § 502(a) (2013) (stating that â[a] covered entity or business associate may not use or disclose [PHI], except as permitted or required by this subpart or by subpart C of part 160 of this subchapterâ).
15 stitution,110 as well as on the basis that it is un- constitutionally vague,111 the ruleâs constitutional- ity has been upheld. 1. Permissive Disclosures of PHI The HIPAA regulations in the C.F.R., part 164, subpart E, beginning with § 164.500, et seq., set forth the permissible and mandatory uses and disclosures of PHI. Section 164.502(a) states that â[a] covered entity or business associate may not use or disclose protected health information, ex- cept as permitted or required by this subpart or by subpart C of part 160 of this subchapter (empha- sis added).â112 HIPAAâs provisions thus apply to both covered entities and their business associates concerning when PHI may be used or disclosed (permissive uses and disclosures) and when PHI must be disclosed (mandatory uses and disclo- sures). If under the particular circumstances a covered entity may not use or disclose PHI, nei- ther may its business associate do so. Of course, a covered entity is permitted to dis- close protected health information to the subject of the PHI.113 Another situation when a covered entity or its business associate is permitted to dis- close PHI is when an individual authorizes the disclosure of the information to another person or entity.114 In the absence of a patron obtaining and pro- viding PHI or authorizing a disclosure of a pa- tronâs PHI, a disclosure to or by a transit agency is not an occasion when a disclosure of PHI is spe- cifically permitted by HIPAA.115 For example, a covered entity may use or disclose PHI to carry out treatment, payment, or health care opera- 110 Assân of American Physicians & Surgeons, Inc. v. U.S. Depât of Health and Human Services, 224 F. Supp. 2d 1115711 (S.D. Tex. 2002). 111 South Carolina Medical Assân v. Thompson, 327 F. 3d 346 (4th Cir. 2003). 112 45 C.F.R. § 164.502(a) (2013). 113 45 C.F.R. § 164.502(a)(1)(i) (2013) 114 45 C.F.R. § 164.502(a)(1)(iv) (2013). 115 Edward F. McArdle, 2002-2003 Survey of New York Law: Health Law, 54 SYRACUSE L. REV. 1179, 1186 (2004) (stating that unless one of the HIPAA exceptions apply âa written patient authorization is required for the use of PHIâ), hereinafter referred to as âMcArdle.â 45 C.F.R. § 164.508 sets forth the general rule: Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose pro- tected health information without an authorization that is valid under this section. When a covered entity ob- tains or receives a valid authorization for its use or dis- closure of protected health information, such use or dis- closure must be consistent with such authorization. tions.116 However, it does not appear that, absent a patientâs written authorization, a covered entity is permitted to disclose PHI to a transit agency on the basis that a disclosure is for treatment, pay- ment, or health care operations. The term âtreat- mentâ refers to the âprovision, coordination, or management of health care and related services by one or more health care providers,â language that is inapplicable to transit agencies.117 The term âpaymentâ refers to activities undertaken by a health plan to determine its responsibility for coverage and benefits provided under the plan including determinations of eligibility and bill- ing.118 The term âhealth care operationsâ refers to âactivities of the covered entity to the extent that the activities are related to covered functions.â119 None of the definitions of treatment, payment, or health care operations applies to transit agencies. There are other permissive occasions when PHI may be disclosed, such as for certain public health or benefit reasons;120 for law enforcement pur- poses; in judicial and administrative proceedings; and when PHI has been de-identified.121 Covered entities must give individuals notice of their pri- vacy policies.122 None of the foregoing permitted uses or disclo- sures under HIPAA would allow a covered entity to share PHI with a transit agency without an authorization provided by the subject of the in- formation. 116 45 C.F.R. § 164.502(a)(1)(ii) (2013). See 45 C.F.R. § 164.506 (2013) for additional requirements regarding uses and disclosures to carry out treatment, payment, or health care operations. 117 165 C.F.R. § 164.501 (2013) (definition of treat- ment). 118 164 C.F.R. § 164.501 (2013) (subsections (1)(i) and (2)(i) and (iii) of the definition of payment). 119 164 C.F.R. § 164.501 (2013) (definition of health care operations). 120 See, e.g., 45 C.F.R. § 164.512 (2013). 121 45 C.F.R. § 164.502(a)(1)(vi) (2013). See 45 C.F.R. §§ 164.51 and 164.514(e), (f), or (g) (2013). Section 164.512 sets forth the uses and disclosures for which an authorization or opportunity to agree or object is not required, such as when a disclosure is required by law. Section 164.514 includes some additional requirements not discussed herein. See also McArdle, supra note 1115, at 1186. 122 45 C.F.R. § 164.520(a)(2)(2013) (relating to an in- dividualâs access to PHI and the right to receive an ac- counting of disclosures made by a covered entity).
16 2. Mandatory Disclosures of PHI A disclosure to an individual of his or her health information is one of HIPAAâs permissive uses or disclosures of PHI. A disclosure of PHI to the subject of the PHI is also one of the manda- tory situations when PHI must be disclosed.123 Under § 164.502(a)(2)(i) a covered entity must provide PHI â[t]o an individual, when requested under, and required by § 164.524 or § 164.528â¦.â124 In general, although there are ex- ceptions under § 164.524, âan individual has a right of access to inspect and obtain a copy of pro- tected health information about the individual in a designated record setâ for as long as the PHI is maintained in the set.125 Another mandatory situation is when a disclo- sure of PHI is required by law. Thus, a covered entity may use or disclose PHI without an indi- vidualâs written authorization âto the extent that such use or disclosure is required by law.â126 Part of the definition of the term required by law in- cludes âMedicare conditions of participation with respect to health care providers participating in the programâ¦.â127 The term required by law also includes âstatutes or regulations that require such information if payment is sought under a govern- ment program providing public benefits.â128 Whether the above parts of the definition of re- quired by law would permit a covered entity to share PHI with a transit agency because of an- other federal, state, or local law is not addressed in the final rule. There is some language in the commentary that implies that health information could be shared when an agency is billing for its services pursuant to a government program. In the final rule, HHS states that âif a covered entity is required by law to submit protected health in- formation to a Federal health plan, it may con- tinue to do so as necessary to comply with that legal mandate.â129 Legal commentators have barely focused on the issue, but one writer states that 123 45 C.F.R. § 164.502 (2013). 124 45 C.F.R. § 164.520(a)(2)(i) (2013). 125 45 C.F.R. § 164.524(a)(1) (2013). There are some situations when a covered entity may deny an individ- ual access and the covered entityâs grounds are âunre- viewable.â 45 C.F.R. § 164.524(a)(2) (2013). 126 164 C.F.R. § 164.512(a) (2013). 127 165 C.F.R. § 164.501 (2013) (definition of required by law). 128 Id. 129 78 Fed. Reg. 5628. [A] Covered Entity that is required to disclose IIHI under the Social Security Act, the Family and Medical Leave Act, the Environmental Protection Act, the National La- bor Relations Act, state law, or any other âlaw,â remains obligated to do so, and may do so without violating HIPAA. This is true so long as the disclosure complies with, and is limited to, the relevant requirements of that law (emphasis added).130 It is not clear that in this context the required by law provision affects transit agencies that may be billing, for example, a state Medicaid program for transportation services. The issue may be moot. For example, a covered entityâs practice may be to require a patient to sign an authoriza- tion for the release of PHI to qualify for transpor- tation services and/or to require that a transit agency agree to comply with HIPAA. Business associates are required to disclose PHI to a covered entity, to an individual, or to an individualâs designee to satisfy a covered entityâs obligations under HIPAA and to comply with an individualâs request for an electronic copy of pro- tected health information.131 A business associate âmay use or disclose protected health information only as permitted or required by its business asso- ciate contract pursuant to § 164.504(e) or as re- quired by law.â132 Business associates also are re- quired to disclose PHI when required by the Secretary of HHS to investigate or determine a business associateâs compliance with HIPAA.133 A use or disclosure of PHI by a covered entity or business associate violates the Privacy Rule that does not come within one of the permitted or mandatory uses and disclosures established by the HIPAA regulations.134 It appears, however, that patrons of transit agencies provide health information or authorize a covered entity to pro- vide it to the agencies to receive transportation services required by the ADA or made available under Medicaid or another public program. 130 Scott D. Stein, What Litigators Need to Know about HIPAA 36, No. 3 JOURNAL OF HEALTH LAW 433, n.57 (2003). 131 45 C.F.R. § 164.502(a)(4)(ii) (2013). See also 45 C.F.R. § 164.524(c)(2)(ii) (2013) referenced in the forego- ing section. 132 45 C.F.R. § 164.502(a)(3) (2013). The section pro- vides further that a âbusiness associate may not use or disclose [PHI] in a manner that would violate the re- quirements of this subpart, if done by the covered en- tity, except for the purposes specified under § 164.504(e)(2)(i)(A) or (B) if such uses or disclosures are permitted by its contract or other arrangement.â 133 45 C.F.R. § 164.502(a)(4)(i) (2013). 134 45 C.F.R. § 164.502(a) (2013).
17 3. Minimum Disclosure Requirement When disclosing PHI, such as in response to a subpoena or court order, âa covered entity or busi- ness associate must make reasonable efforts to limit protected health information to the mini- mum necessary to accomplish the intended pur- pose of the use, disclosure, or request.â135 C. The Security Rule HIPAAâs Privacy Rule is intended to prevent the unauthorized disclosure of PHI. HHS enacted the Security Rule in 2005 to complement the Pri- vacy Rule âto address the privacy, security, and risks to the integrity of electronic health-record systemsâ by requiring covered entities âto imple- ment reasonable administrative, physical and technical safeguards to secure electronic health information.â136 Any transit agency that has en- tered into a contract with a covered entity in which it has agreed to be bound by HIPAA or that is considering entering into an agreement with a covered entity will be interested in the obligations imposed by the Security Rule. Prior to HITECH, HIPAAâs Security Rule did not apply directly to business associates of cov- ered entities. Now the Security Ruleâs provisions on administrative, physical, and technical safe- guards137 and the ruleâs requirements on proce- dures and documentation apply both to covered entities and their business associates.138 As HHSâs 2013 final rule provides, covered entities and business associates must âcomply with the appli- cable standards, implementation specifications, and requirementsâ¦with respect to electronic pro- tected health information of a covered entity.â139 Consequently, a covered entity or a business asso- ciate must â[i]mplement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software 135 45 C.F.R. § 164.502(b) (2013). Section 164.514(d) (2013) concerns requirements regarding âminimum necessaryâ uses and disclosures of PHI. There are ex- ceptions to the minimum necessary standard. See id. § 164.502(b)(2) (2013). Section 164.530(c) (2013) requires a covered entity to have administrative, technical, and physical safeguards to protect the privacy of PHI. See also Jolley & Chewning, supra note 28, at 23. 136 Ayres, supra note 42, at 983 (citing 45 C.F.R. §§ 164.302, 304, 306, and 501 (2010)). 137 45 C.F.R. §§ 164.308, 164.310, and 164.312 (2013) respectively. 138 45 C.F.R. § 164.316 (2013). 139 45 C.F.R. § 164.302(a)(1) (2013). programs that have been granted access rights as specified in § 164.308(a)(4).â140 Both covered enti- ties and business associates are subject to the En- forcement Rule.141 Within the context of the Security Rule, confi- dentiality means that âdata or information is not made available or disclosed to unauthorized per- sons or processes.â142 In addition to other specified requirements, covered entities and business asso- ciates must â[e]nsure the confidentiality, integ- rity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or trans- mits.â143 In deciding on security measures to use a covered entity or business associate must consider its âsize, complexity, and capabilities,â as well âtechnical infrastructure, hardware, and software security capabilities.â144 Administrative safeguards include âsecurity measures to protect electronic protected health information and to manage the conduct of the cov- ered entityâs or business associateâs workforce in relation to the protection of that information.â145 A covered entity or business associate must â[i]mplement policies and procedures to prevent, detect, contain, and correct security violations;â146 conduct a risk analysis of the âelectronic protected health information held by the covered entity or business associate;â147 âimplement security meas- ures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a);â148 sanction âworkforce mem- bers who fail to comply with the security policies and procedures of the covered entity or business associate;â149 and conduct regular reviews of âin- formation system activityâ¦.â150 As defined in § 164.304, physical safeguards are those physical measures, policies, and proce- 140 45 C.F.R. § 164.302(a)(1) (2013). 141 78 Fed. Reg. 5589. 142 45 C.F.R. § 164.304 (2013). 143 45 C.F.R. § 164.306(a)(1) (2013). 144 45 C.F.R. § 164.306(a)(2) (2013). In addition, a covered entity or business associate must comply with §§ 164.308, 164.310, 164.312, 164.314 and 164.316 (2013) with respect to all electronic PHI. See 45 C.F.R. § 164.306(c) (2013). 145 45 C.F.R. § 164.304 (2013) (definition of adminis- trative safeguards). 146 45 C.F.R. § 164.308(a)(1)(i) (2013). 147 45 C.F.R. § 164.308(a)(1)(ii)(A) (2013). 148 45 C.F.R. § 164.308(a)(1)(ii)(B) (2013). 149 45 C.F.R. § 164.308(a)(1)(ii)(C) (2013). 150 45 C.F.R. § 164.308(a)(1)(ii)(D) (2013).
18 dures for the protection of âa covered entityâs or business associateâs electronic information sys- tems and related buildings and equipment, from natural and environmental hazards, and unau- thorized intrusion.â151 A covered entity or business associate must â[i]mplement policies and proce- dures to limit physical access to its electronic in- formation systems and the facility or facilities in which they are housedâ¦.â152 As for technical standards, a covered entity or business associate must have âtechnical policies and proceduresâ in place so that only âthose per- sons or software programs that have been granted rights have access to protected health informa- tionâ¦.â153 Prior to HITECH, only state laws applied to breaches of privacy.154 There was no federal re- quirement for notification of a security breach caused by an improper disclosure of medical in- formation. HIPAA defines the term âbreachâ to âmean[] the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the pro- tected health information.â155 When a business associate discovers a breach of unsecured PHI, the business associate must notify the covered entity of the breach.156 A business associateâs knowledge of a breach includes a situation in which the busi- ness associate would have known of a breach by exercising reasonable diligence.157 However, assuming that transit agencies meet the definition of a business associate under HIPAA or have agreed by contract to comply with HIPAA, thus being subject to the Security Rule, transit agencies will be interested in knowing that the definition of a breach excludes certain unin- tentional, inadvertent, or inconsequential disclo- sures. First, a breach excludes any unintentional acquisition of, access to, or use of PHI by a work- force member of a covered entity or a business associate (or a person who is acting under the au- thority of a covered entity or a business associate) if an acquisition of, access to, or use of PHI was made âin good faith and within the scope of au- thority and does not resultâ in a further nonper- 151 45 C.F.R. § 164.304 (2013) (definition of physical safeguards). 152 45 C.F.R. § 310(a)(1) (2013). 153 45 C.F.R. § 164.312(a)(1) (2013). 154 Andresen, supra note 60, at *1. 155 45 C.F.R. § 164.402 (2013). 156 45 C.F.R. § 164.410(a)(1) (2013). 157 45 C.F.R. § 164.410(2) (2013). mitted use or disclosure.158 Second, a breach does not include any inadver- tent disclosure by a person who is authorized to have access to PHI at a covered entity or business associate to another person who is authorized to have access to PHI at the same covered entity or business associate.159 The PHI received because of a disclosure must not have been used or disclosed thereafter in a nonpermitted manner.160 Third, a breach in security has not occurred when there is a disclosure of PHI when âa covered entity or business associate has a good faith belief that an unauthorized person to whom the disclo- sure was made would not reasonably have been able to retain such information.â161 Of the agencies responding to the survey that have health information on patrons, four agencies stated that they did not have security arrange- ments, such as those required by HIPAA, for the safeguarding of health information or records in- cluding those in electronic format. Thirteen agen- cies stated that that they secure a patronâs health information by keeping the information in a locked file cabinet162 and/or in a locked room163 or in a âsecure area164 with access restricted only to authorized personnel.165 Transit agencies stated that they receive health information on patrons by hand166 or by mail167 or electronically by 158 45 C.F.R. § 164.402(1)(i) (2013). 159 45 C.F.R. § 164.402(1)(ii) (2013). 160 Id. 161 45 C.F.R. § 164.402(1)(iii) (2013). 162 Responses of HART and KAT (applications are kept in a locked file cabinet); Responses of Manchester and MATA (âlockable filesâ). 163 Response of HART (applications kept in locked file cabinet in locked file room); Response of Utah Tran- sit Authority (all information stored in a secure locked file room and no information shared without a written request of a client or the clientâs agent). 164 Response of MATA; Response of Metro Transit (stating that paratransit application records are kept confidential; that as of yet no electronic encryption has been implemented; and that all supplemental eligibility materials are kept in a secure area with limited access). 165 Response of Manchester (locked file cabinet with restricted access); Response of Hart (access to patronsâ health information restricted only to authorized per- sonnel in the paratransit department, meaning two or three employees of the agency). 166 Responses of KAT and MATA. 167 Responses of New Haven Transit and HART (stat- ing that certifications provided by physicians are only accepted in âhard-copy format through regular mailâ); Response of KITSAP (stating that requests are sent by
19 email168 or by telefax.169 However, some transit agencies may be receiving PHI from covered enti- ties (or their business associates) such as when transit agencies are participating in a coordinated transportation services program or are serving as direct providers to covered entities pursuant to an agreement.170 East Bay Paratransit Consortium (EBPC) stated that electronic files are password protected and that printed files on clients are kept in a locked room that requires a pass code. EBPC also reported that there is âlimited medical informa- tionâ in its database on clients. Manchester stated that it does not deal with electronic information as âapplications are filled out on paper and physi- cally stored.â Metro Transit advised that it âmain- tains ADA paratransit application formsâ¦in a secure area with limited accessâ and that â[o]nly hard copy files are maintained, no electronic cop- ies.â171 Riverside has applicants submit a physi- cianâs verification documenting their disability; the documents are only stored âelectronically as part of the certification file and used for compari- son over time;â and âthe software used to store the data has security measures built in to ensure the privacy and confidentiality of these documents.â Although noting that HIPAA does not apply to the agency, Whatcom stated that the agency is âcommitted to maintenance of customer confiden- tiality.â Whatcom reported that it receives health information as authorized by an applicant for paratransit eligibility and that the âinformation is telefax or by mail to a named medical professional with a cover sheet, a questionnaire, and a release-form; that after the response is returned to KITSAP, it is re- viewed, and retained with an applicantâs file; and that inactive and archived passenger files are destroyed af- ter 6 years); Response of KAT; Response of MATA (stat- ing that applications help to determine eligibility; that applications request information on medical conditions; and that applications are received by mail, by email, or by hand; and that after being reviewed applications are stored in locked files); Responses of North County, Pierce Transit, Salem-Keizer, and Space Coast. 168 Responses of GATRA, MATA, North County, and Salem-Kaiser. 169 Responses of GATRA, KITSAP, KAT, North County, Pierce Transit, Salem-Keizer; and Space Coast. 170 See Section IX.C. 171 Pierce Transit stated that applications for para- transit as well as requests for professional verification are sent to Pierce Transit by mail or by telefax but that the agency stores only paper files. stored in locked, physical files and password pro- tected computer files.â172 Finally, the Greater Attleboro-Taunton Re- gional Transit Authority (GATRA), which has a business associate agreement with the Massachu- setts Executive Office of Health and Human Ser- vices (EOHHS) and its constituent entities, stated that in addition to telefax and secure e-mail âtransportation authorizations are received via secured FTP transmission [and] are posted for subcontractors via secure FTP on our portal (web).â GATRAâs security arrangements include âemployee trainingâ and service agreements with subcontractors. Even if a person or entity is subject to HIPAA, HIPAAâs Security Rule does not necessarily apply to PHI received by telefax or by e-mail. First, HIPAA defines electronic media subject to the Se- curity Rule to include â[e]lectronic storage mate- rial on which data is or may be recorded electroni- cally,â such as in a computer hard drive or removable or transportable digital memory de- vices.173 Electronic media includes âtransmission media used to exchange information already in electronic storage media,â such as the Internet, and the physical movement of remov- able/transportable electronic storage media.174 However, the Security Rule does not apply to cer- tain transmissions including the use of paper or telefax or telephone transmissions when âthe in- formation being exchanged did not exist in elec- tronic form immediately before the transmis- sion.â175 Although PHI stored in covered entitiesâ and business associatesâ photocopiers, facsimiles, and other devices is subject to the Security Rule, PHI that is stored is secured appropriately when it is monitored or when physical access is re- stricted to a photocopier or telefax fax machine that is used for copying or sending PHI.176 D. De-Identified Information Under HIPAA de-identified health information is not subject to limitations or restrictions on its 172 Response of Whatcom. 173 45 C.F.R. § 160.103 (2013) (sub-part 1 of the defi- nition of electronic media). 174 45 C.F.R. § 160.103 (2013) (sub-part 2 of the defi- nition of electronic media). 175 Id. 176 78 Fed. Reg. 5576. HHS cautions that âbefore re- moval of the device from the covered entity or business associate, such as at the end of the lease term for a pho- tocopier machine, proper safeguards should be followed to remove the electronic [PHI] from the media.â Id.