Corporate Compliance

HIPAA Q&A: Transporting records to satellite clinic

Compliance Monitor, June 13, 2012

Q: Our physician practice operates a satellite clinic. The practice does not use an electronic medical record. Charts are transported to a workforce member’s home at the end of the week and are transported to the satellite clinic Monday morning. Does this practice violate HIPAA? Also, who is responsible for the breach of patient PHI if someone steals the charts from a workforce member’s vehicle?

HIPAA does not prohibit transporting charts temporarily to a workforce member’s home. Medical practices that do so must reasonably ensure that charts are secured while they are en route and temporarily stored at the workforce member’s home. Ideally, store charts in a locking file cabinet or safely in the workforce member’s home.

Exercise the same care that is necessary when transporting laptop computers. Don’t leave charts in plain sight in unattended vehicles. If it becomes necessary to leave charts in an unattended vehicle, lock them in the trunk or out of sight of passersby if there is no trunk. These practices (transportation and remote storage of charts) must be documented in policy and enforced.

If the charts are stolen, ultimately the practice is liable. The incident would be considered a breach of unsecure PHI, and the practice would be required to notify patients within a reasonable period of time and follow all requirements of the interim breach notification rule (45 CFR 164.400–164.414).

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Ore., answered this question. He has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.


Most Popular