Provided by: Jennifer Kirschenbaum, Esq.
August 29, 2017
Can I give patients a USB who are requesting their information?
HIPAA does not dictate which mode a covered entity must use to transmit protected health information; instead, HIPAA provides guidance on the protections a covered entity should have in place to ensure the protected health information is not disclosed in an unauthorized manner.
For instance, a USB device may be used to provide patients their protected health information. The covered entity may even charge a reasonable fee for providing same, as specified in more detail in this Office for Civil Rights policy - https://www.hhs.gov/hipaa/for-professionals/faq/2029/how-can-covered-entities-calculate-the-limited-fee/index.html. However, if a covered entity or business associate were to disseminate unsecured USBs in a way that compromised the protected health information, it is likely that entity would have exposure from potential review and fine by the Office For Civil Rights – whether initiated by patient complaint, notice of breach or otherwise.