Corporate Compliance

Is it a HIPAA violation to take patient charts home or on vacation to complete dictation?

Compliance Monitor, January 5, 2007

Q: Is it a HIPAA violation to take patient charts home or on vacation to complete dictation?

A: The privacy and security rules do not explicitly prohibit a provider from taking charts off site. Instead, covered entities must establish policies, procedures, and practices that reasonably ensure the integrity, confidentiality, and availability of the information. This means ensuring that:

  • the chart is secure at all times (e.g., in transport, when stored off-site)
  • in this case, no one other than the provider has access to the chart
  • processes are in place to access the information in the event of a disaster
  • It is well within a covered entity's rights to impose security policies, procedures, and practices that prohibit providers from transporting patient charts off site. The covered entity could determine that such practices pose too great a risk to the integrity, confidentiality, and availability of PHI because there are a number of increased risks when transporting data off-site.

    Thanks to Chris Apgar, president of Portland, OR-based Apgar & Associates, LLC, for answering this question.

    Most Popular