Provided by:  Jennifer Kirschenbaum, Esq.

August 29, 2017



Hi Jennifer,

Can I give patients a USB who are requesting their information?

Dr. O


HIPAA does not dictate which mode a covered entity must use to transmit protected health information; instead, HIPAA provides guidance on the protections a covered entity should have in place to ensure the protected health information is not disclosed in an unauthorized manner.  

For instance, a USB device may be used to provide patients their protected health information.  The covered entity may even charge a reasonable fee for providing same, as specified in more detail in this Office for Civil Rights policy -  However, if a covered entity or business associate were to disseminate unsecured USBs in a way that compromised the protected health information, it is likely that entity would have exposure from potential review and fine by the Office For Civil Rights – whether initiated by patient complaint, notice of breach or otherwise.