A Business Associate’s Compliancy Journey: Electronic Transfer Of PHI


For small companies whose primary function includes receiving, reviewing, and analyzing information contained in medical records, dealing in the transfer of protected (or personal) health information (PHI) will be a daily occurrence. These types of companies constantly deal with medical records, and protecting PHI that is electronically transferred is of primary importance. This can naturally lead to a major focus on becoming fully HIPAA compliant.

The Basics of Electronic PHI Transfer

Transferring PHI electronically requires protection to prevent access by an unauthorized user. PHI is rendered unusable, unreadable, or indecipherable to unauthorized individuals if the PHI has been encrypted as specified in the HIPAA Security Rule, or if the media on which the PHI is stored or recorded has been destroyed.

External PHI transactions occur when there is a transfer of information between a business’s staff and its clients. Clients will likely prefer the ease of accessibility and use that cloud sites offer for file transfers. However, the challenge is finding a reliable and secure cloud site that will assure compliance with HIPAA requirements while still offering ease of use for all parties. Additionally, when selecting a vendor, businesses must remember to comply with the HHS’s Business Associate Agreement rule.

Work With Clients to Establish Methods for External PHI Transfer

After establishing a safe and secure method for electronic PHI transfer, small businesses must develop best practices to govern file transmission to clients. This may involve requiring clients to log into the cloud site to retrieve their messages and all related documents that are stored there, rather than transmitting these documents via email. This policy might likewise require clients to log into the cloud site to upload files being sent to the business. Under such a policy, files cannot be shared in either direction (e.g., uploading or downloading) without first logging into the secure HIPAA compliant site.

Develop Best Practices for Internal PHI Transfer

In addition to external PHI transfer, businesses may also need to internally transfer PHI in the course of daily business. These circumstances should also be governed by formal rules or practices. For example, rather than sending PHI files via email, consider utilizing shared drives on a secure, internal network. Ultimately, when communicating via email or by any written means, it’s preferable to avoid sharing PHI to the extent possible.

For businesses that frequently transfer electronic PHI, keeping this information secure as it changes hands is an enormous responsibility. Finding a solution that works for both the business and the client must be a top priority that will often require communication and education regarding options and recommendations to serve both parties’ specific needs.

Post Tags: