Organizations that provide PHI
on electronic media must comply
with the HIPAA security rule.
usually 30 days, before they are automatically removed.
In these instances reviewers are issued log-in credentials
to the system. Log-in credentials must meet HIPAA access
and control requirements. Organizations may choose to
accomplish this by limiting access to a certain population or
ensuring the log-in credentials expire within a specific time
In addition, organizations may choose to limit access to
“view only.” Reviewer requests for information to be printed
for further review should be handled through the HIM
department’s normal release of information processes.
Organizations that provide protected health information
(PHI) on electronic media must address requirements in the
HIPAA security rule. The physical safeguards section of the
rule (164.310) requires organizations address the receipt and
removal of electronic media that contain PHI. The rule also
requires organizations address the use, reuse, and disposal of
such media, both within the organization and outside it.
The HIPAA security rule also can provide guidance to
organizations when a reviewer requests protected health
information be downloaded onto the reviewer’s media device.
Most organizations have implemented security policies
that prohibit connecting media devices from outside the
organization to the internal network (e.g., EHR). Prohibiting
external devices allows an organization to prevent potential
data breaches or system failures.
The HIPAA security rule clearly states that organizations
are responsible for this assurance and strongly recommends
organizations encrypt protected health information as a
further measure to protect information from breaches and
In addition, organizations should ensure they have a signed
business associate agreement in place with any vendor who
chooses to receive information via electronic media. To
mitigate potential risk, the information should be provided
on a media device approved and supplied by the organization.
All external reviewers should be educated on organizational
security policies that explain why protected health
information cannot be downloaded to an external unsecured
There are other items to take into account in order to manage
electronic access effectively. Regardless of the final format, all
basic release of information guidance remains the same. For
example, organizations still have 30 days under the HIPAA
privacy rule to produce the health record. Reviewers should
not expect to walk in and receive immediate access to the EHR
or a CD.
HIPAA allows organizations to charge reasonable costs to
produce health records. HIM professionals should carefully
review the HIPAA guidance and relevant state guidance. Some
states are in the process of approving legislation that would
place a limit on the fees associated with producing personal
health information in electronic media.
Contrary to popular belief, producing electronic health
records is not quickly accomplished with a simple keystroke.
There is still time associated with validating the authorization,
processing the request, and producing the record in
accordance with the legal health record policy.
In addition, system capability will determine the time it takes
to produce the information in electronic media as well as the
final format of the information. If the final format on the CD is
unrecognizable, neither the reviewer nor the organization has
gained any efficiencies.
In the end, providing information electronically can benefit
the HIM department. In order to provide an accurate and
complete health record in electronic media HIM professionals
should collaborate with the external reviewers, information
technology, and security officer to ensure compliance. ¢
Lou Ann Wiedemann ( email@example.com) is a director of
professional practice resources at AHIMA.
Reduce administrative burden
and increase cash flow
Secure timely payment
to protect your hospital’s
solution to your
· Coding Audits – Inpatient
· Recovery Audit Contractor
· HIM Operations Consulting
· Coding Education and Training