Privacy Officer's Roundtable

Transporting Medical Records

  • 1.  Transporting Medical Records

    Posted 11-20-2019 02:57 PM
    Good afternoon,

    Can anyone point me to a place in the HIPAA regulations governing tranporting medical records? I am trying to see if recommendations I'm being given are actually in the regulations or simply "best practices".

    Thank you for any help you can offer.

    LaDon Linde
    Compliance/Privacy Officer
    Astria Sunnyside Hospital
    2020 SCCE Membership

  • 2.  RE: Transporting Medical Records

    Posted 11-20-2019 03:00 PM
    LaDon, I don't believe there is specific mention to transporting PHI, moreover it is part of your "reasonable safeguards" implementation. We have contractual requirements with the state that have specific requirements in lace, such as locked box/case not to be put in checked luggage on planes etc., but I am not aware of specific requirements within HIPAA.

    Hope that helps. ​

    David Rothery, CHC
    Compliance Officer
    Marin County, CA

    These are my personal opinions and not those of the County of Marin

    2020 SCCE Membership

  • 3.  RE: Transporting Medical Records

    Posted 11-20-2019 03:23 PM

    Thank you, David and Frank. This is most helpful!


    LaDon Linde, CHC

    Compliance Officer/Medical Staff Services Director

    Astria Sunnyside Hospital

    1016 Tacoma Ave l Sunnyside, WA 98944

    509-837-1364 (P) l 509-837-1796 (F)




    2020 SCCE Membership

  • 4.  RE: Transporting Medical Records

    Posted 11-20-2019 06:21 PM
    As David R. stated, I don't believe there are any specific requirements in the regulations (at least I hope not).

    David Garrison
    Compliance/Privacy Officer

    2020 SCCE Membership

  • 5.  RE: Transporting Medical Records

    Posted 11-21-2019 06:06 AM
    Edited by Brenda Manning 11-21-2019 06:17 AM
    This falls under the Privacy Rule which applies to PHI in all forms (e.g., paper, electronic, verbal) unlike the security rule which only applies to e-PHI. The provision is 45 CFR 164.530(c)(1).  Standard: Safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.

    The regulation doesn't get into the weeds of specifics but the expectation is that your organization will assess the risk and take steps to put measures in place to safeguard the PHI such as some of those suggested.

    Brenda Manning J.D., C.H.C., C.H.P.C.
    Compliance Director, Privacy
    Carilion Administrative Services Building, Ste. 1201
    213 S. Jefferson Street
    Roanoke, VA 24011
    (540) 224-5757
    Fax: (540) 510-224-5787
    Integrity Help Line Compliance: (844) 732-6232

    Our Mission: Improve the health of the communities we serve.

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.

    2020 SCCE Membership