Privacy Officer's Roundtable

1.  Flashdrives

Posted 6 days ago
How do you provide copies to requestors of medical records?  Do you use a flashdrive, a CD, paper, e-mail?  We are thinking about putting records on flashdrives and giving to the patient.  I appreciate any thoughts, recommendations, etc you might share.



------------------------------
Gayla Smith
HIM Manager/Compliance
------------------------------


2.  RE: Flashdrives

Posted 6 days ago
I would be very surprised if the use of flashdrives was a primary mode of providing copies of medical records to a patient.  My thought, based on interactions with others is that the common options used include:

- providing hard copies
- emailing copies (both in a secured and unsecured manner depending on the patient's request)

At one time CDs seemed to be a popular option...but I don't tend to see it very often...except in the case when patient's want electronic copies of radiology studies.

------------------------------
♫ Happy Holidays ♫
-----Frank Ruelas-----
------------------------------



3.  RE: Flashdrives

Posted 6 days ago
I am over our medical records department in addition to my numerous other titles :)....We provide mostly CD's, paper records, or upload to portals. With that said, CD's seem to be the most popular. If we use a CD, we encrypt the CD and provide a number for the requestor to call to obtain the user name and password. They would have to verify certain identifiers of the patient before we give out the username and password. Hope this helps.

------------------------------
Savannah Knuettel
Compliance Coordinator
Galen Medical Group
Chattanooga,TN

The views expressed herein are my own and do not represent those of my employer or clients. They are not meant to constitute legal advice or create an attorney-client relationship.
------------------------------



4.  RE: Flashdrives

Posted 6 days ago

Personally, I would never plug a USB into my computer that I didn't personally purchase from a well-known, reputable manufacturer and remove from the wrapper, or one that had been plugged into another computer for fear of cross-contamination of nasties, such as browser hijackers, malware, adware, spyware, or greyware.  

 

We block USBs on our work computers via software.

 

Gwen Pekuri, CPHIT, CPHIE

     Compliance Specialist

 

 






5.  RE: Flashdrives

Posted 6 days ago
So far all our requests have been for paper.  If we got a request for electronic media we have some CD's that we would use.  We are considering switching to thumb-drives.

------------------------------
David Garrison CHC,CHPC
Compliance/Privacy Officer
SEARHC
Juneau,AK
------------------------------



6.  RE: Flashdrives

Posted 6 days ago
We typically get requests for paper or email.

My spouse was being treated last month at an urgent care that determined hospitalization was required and they sent us to admitting with a CD of lung x-rays, but once in the ER the hospital staff couldn't get the images off the CD. My work Laptop doesn't even have a CD drive and for that matter, neither does my personal laptop.

I would personally be worried about plugging a USB into my personal computer as well, and most of our agency machines block USB access.

Carly Borenkind, LCSW
Compliance Officer- JASA
247 W. 37th Street 9th Floor
New York, NY 10018
Ph: 212.273.5296
eFax: 929.299.1132

Compliance Concerns can be reported anonymously, if desired, through the Compliance Hotline at 212-273-5288 or click here.  Concerns can also be emailed to complianceconcerns@jasa.org




www.jasa.org

  

Confidentiality Notice:  This e-mail is intended only for the person(s) to whom it is addressed and may contain information that is confidential, proprietary, privileged or otherwise protected from disclosure.  If you are not an intended recipient, please (i) do not read, copy or use this communication, or disclose it to others, (ii) notify the sender immediately by replying to the message, and (iii) delete the e-mail from your system.  JASA's Privacy officer can be reached at 212-273-5296.





7.  RE: Flashdrives

Posted 6 days ago

We provide paper copies of records when requested. We do not accept any media (CD's, flash drives) from patients for record copying. 



------------------------------
Dr. Randy Lewis, LMFT, CHPC
HIPAA Privacy Officer
Orange County Government
Orlando, FL
------------------------------



8.  RE: Flashdrives

Posted 5 days ago
Randy,

Good post and it sounds like you folks have some experience in this area.  That being the case (my assumption), what is your experience in complying with the fact that we can't require people to purchase portable media on which to copy their ePHI.  In those cases, do you:

A. Consider providing paper copies
B. See if the individual will accept the ePHI to be emailed
C. The organization absorbs the cost of the media
D. Other?

------------------------------
♫ Happy Holidays ♫
-----Frank Ruelas-----
------------------------------



9.  RE: Flashdrives

Posted 4 days ago
​Frank,
As far as I know, we have not been asked to copy information to a disk.

Under HIPAA (Section 164.524) we can charge a reasonable cost-based fee for copying records. This would permit us to charge for a disk.

However, when it comes to PHI, to my knowledge, we do not charge the patient. Nearly all of our requests are for paper copies of records. We contract with a service to provide these copies (yes, we have a BAA with them). We pay for the service, but I do not believe we charge the patient. If the patient wanted an electronic copy, we just provide our own disk with the copied records to the patient.

------------------------------
Dr. Randy Lewis, LMFT, CHPC
HIPAA Privacy Officer
Orange County Government
Orlando, FL
------------------------------



10.  RE: Flashdrives

Posted 5 days ago
​We are in the discussion phase right now, of how we would like to offer our patients options.  Our policy would definitely state that we would never accept their personal flash/thumb drives (one time use).  We are planning to order flash drives to provide to them in lieu of paper, if they prefer. Our policy would be to use only new flash/thumb drives from our own stock.  I have also seen where some ROI departments are e-mailing patients their records.  I was just looking to see if I could find someone who are already doing either or both and maybe policies.

Thank you all for your discussion.  I appreciate all the feedback I get.

------------------------------
Gayla Smith
HIM Manager/Compliance
------------------------------



11.  RE: Flashdrives

Posted 5 days ago
I think it was about 4 years ago (which is about right given when Omnibus became effective) a few of us from HCCAnet got together and purchased 2 GB flashdrives in bulk (I think we purchased about 2000 units).  I think the cost of each came to about $3.00 which for some folks was a great way to stretch some of their dollars given the price of 2 GB drives at the time which is still a good value today.  I know some folks who received 100 still have some of their stock left...while others ran out after a year or two.

So the demand wasn't too high...and the Security officers at each site liked the idea that they did not have to introduce USBs from patients onto their systems, so the $3.00/USB was a good investment.  I also know that in most cases, the hospitals and clinics didn't pass along the cost of the USB drive to the patient.

I do not recall anyone having many problems with the 2 GB size being a problem as the super majority of copies of ePHI were well below the 1 GB range.

Just providing some info to consider as folks look into this.

------------------------------
♫ Happy Holidays ♫
-----Frank Ruelas-----
------------------------------