Nov
12
Burning medical records to CD
By
I was just informed from our compliance manager that in February of 2010 – due to HIPAA changes – that the medical records need to be burned to a CD before being sent out.
Is this a true statement?
Karen Meyer
Health Information Services Supervisor
Summit Orthopedics
Woodbury, MN
Get blog updates in your e-mail
Subscribe to our e-zine
Click here to learn how!
Click here
Karen,
In short there is not such requirement.
There may be a number of reasons you recieved the response you described from the identified individual.
One guess is that a new requirements brought about by the HITECH Act states that if a covered entity maintains electronic health records, the individual may request a copy in electronic format. I know this is not precisely as you described but it is about as close as I can come to trying to figure out why the person you said indicated it was a requirement.
Another possibility is that if the original record should be sent out and lost, perhaps the CD copy is serving as a mitigating factor to maintain a copy in your organization’s possession. Again…just a guess.
Good luck!
Frank
Where does it specifically state in the HIPAA rules that PHI sent on a data CD must be encrypted and password protected? If the CD is password protected and sent overnight mail, is that enough?
I don’t believe it tells you anywhere. HIPAA, with few exceptions, doesn’t tell you what you have to do, it tells you what can’t HAPPEN to the PHI. In this case, its left entirely to the covered entity to determine what risk mitigation steps you take. If you document your risk assessment and determine that the likelihood of a password protected CD is lost in the mail, stolen or otherwise compromised and THEN the password cracked (make sure you have a password policy) is a low chance of happening, then you probably comply with the Security Rule.
This, however, does not mean that if it gets lost and if your investigation determines that the password is likely to be cracked and there is a strong possibility of reputational, financial or safety concerns that arise to owners of the information on the CD, that you do not have to report it. Reporting breaches and Security Rule and Privacy Rule compliance are separate issues.
Hope this helps,
Alex Golimbievsky
I do not know of a requirement for this, but it is interesting that an organization (Sisters of St. Francis) is being sued for 1.4 Billion (yes, with a B) for losing track of 260,000 records when a contractor copied patient information onto CDs, placed the CDs in a computer bag, then inadvertently returned the bag to a store with the CDs still inside.
Whoa. That is insane. Just looked up those articles:
http://www.wthr.com/Global/story.asp?S=5578184
http://www.lawcash.com/class-actions/sisters-st-francis-health-services-lawsuit/4943
I know there are systems we are looking at that intigrates with our imaging and other medical systems that copies CDs for you. It checks access, creates an audit log of who burned it, when and what data, then it allows administrators to mandate encryption. Come with a $15,000 price tag, but thats much less than 1.4 Billion.
Thanks for the heads up William! I managed to scare my boss with that story.
Alex,
I’m curious what imaging system you are using and what integration product you are reviewing. We will also be facing this issue within our facility.
Hey Karen,
Sorry for the late reply. We use Philips iSite for our PACS solution and the software package we are looking into is PACSGear MEdia Writer. It fully integrates with Philips iSite.
http://www.pacsgear.com/mediawriter.html
Hope that helps,
Thanks!
Alex Golimbievsky
From what I am reading in the HITECH Act, it is suggested but not required that you encrypt the CD. Can you clarify?
There is no legislation that says CDs need to be encrypted or password protected, however having them encrypted mitigates repercussions if the CD is lost or stolen.
The information I’ve been looking at is related to sending CDs out, such as for RAC audits, where there is a period of time between the facility and recipient when anything can happen. By encrypting CDs, the facility has done everything in their power to ensure the security of information while in transit (also assuming that it was sent certified mail).
It is not specifically required by HITECH, but encryption is the only way to ensure that a CD or DVD will not be compromised if lost or stolen. As part of HITECH readiness, we are shipping all DVDs with encryption as of 12/1/09 – no exceptions. Password protection is a layer between user and data. Encryption ensure that if you get to the data, you can read it. In this climate, encryption is highly recommended.
I really loved this amazing article. Please keep it up. Greets!.
To the discussion group:
You each certainly help build a good case for encryption. I think what typically happens is that often what may represent good practice is sometimes equated to also being a requirement.
For example the use of seat belts was certainly considered a good practice for decades but not a requirement until recently.
Perhaps we will see encryption a requirement in the future given its pervasiveness within the realm of PHI.
Frank
Engagging discussion and I like your input. Fast question. We are making plans to install wordpress ourselves. Will you point out a good resource for templates and the best plug ins to make it easy for staff to update content in a nice user friendly way? Thx in advance.
Hi San Diego:
Let me check with our tech guys to see if there’s some information on that.
Thanks for blogging.
Hello San Diego:
I have some information for you. Please give me an e-mail so I can share.
Thanks!
We are a PT clinic and we are getting ready to move to our new location so we wanted to copy all our medical records to discs. What is the law or regulations on keeping the actual (paper) patient file?
Hi There
From what I am reading in the HITECH Act, it is suggested but not required that you encrypt the CD. Can you clarify?
Bye
Jonas
medcall.com.au
I know this thread is old but I have been tasked with researching solutions for our HIM dept. to burn patient ROIs to CDs that are encrypted with a possible log of who is doing the burning. The files would be PDFs and so far all is see are processes for burning DICOM images. Any suggestions?
One solution is to have the person doing the burning identify him or herself in the properties section of the document that is being burned.
Certainly this relies on a high rate of human based compliance which in the process design world can be a very, very weak link…but it can serve as an interim option until you identify and adopt a different approach.
Frank
frank@hipaacollege.com