EXPERT RESPONSE
HIPAA doesn't specify that patient records can't be stored permanently, but that they have to be protected and kept private. So rewriteable media should be acceptable, as long as access to that media is restricted.
This brings up the issue of proper data-handling practices. Basically, if the records are digitized, then proper controls must be in place to dictate who can access the information. Maybe that means having proper security set up on file shares. Perhaps these CDs and DVDs should be kept in a safe so they aren't accessible to everyone. Encrypting the data should also be considered, to make sure that even if the data is accessible, it's not readable without the key.
Of course, it is good practice to implement procedures to protect against data corruption and unauthorized changes, so storing the data on write-once media isn't a bad idea. But since you would only be storing a point in time backup (or replication) of the data in question, there is a cost there.
Based on my understanding of HIPAA, these types of storage mechanisms would be acceptable. Yet as with any regulation, that is ultimately going to be a judgment call of the examiner that shows up to assess your organization.
For more information:
Mike Rothman discusses the terms of HIPAA, specifically if it is a violation of the act to publicly display client names.
In this expert response, learn if an off-site employee exit procedure will violate HIPAA regulations
|
