Corporate Compliance

Taking PHI out of the office

Compliance Monitor, January 19, 2007

Q: Is it a HIPAA violation to take files containing personal health information out of the office to make preoperative/postoperative calls and deliver charts to an out-of-town physician's office for signature?

A: You should remove patient records from the facility's safekeeping under very limited circumstances, usually in response to a subpoena or court order. Ideally, an employee on duty at the time of the call (not working from home) should conduct preoperative/postoperative calls. If an employee must make these calls on his or her own time, it could be a violation of federal labor laws.

If a staff member is exempt from certain labor laws and must make follow-up calls from home, he or she should take only limited information (e.g., the patient's name and telephone number) out of the facility and document the follow-up calls on a blank form to file in the patient's medical record.

It can be difficult to get out-of-town physicians to come back to the facility to complete records, but most organizations have solved this without physically taking the records to the physician. For example, you could mail the original document to the physician for signature, along with a stamped, self-addressed return envelope (keep a copy of the report in the patient's record, should the original be lost). Or, fax the document to the physician and ask him or her to sign it and mail or fax it back.

Thanks to Mary Brandt, president of Bellaire, TX-based Brandt & Associates, LLC, for answering this question.

Most Popular