By Lorraine Mazurek
You have questions… We have answers.
Q: Is sending an unencrypted CD or flash drive with PHI on it via the U.S. Mail acceptable? I have found there is a lot of confusion on this and some misinformation too. If you choose to go this route, would it be a defensible position during an audit?
A: Privacy and Security Rules requires organizations to take reasonable safeguards to protect PHI. At a minimum, PHI sent through the mail on a CD or flash drive should be encrypted or password protected. Given the ease of providing this basic level of protection, it would be difficult to defend sending PHI through the mail without encrypting the CD or flash drive or at least password protecting it.