Until and unless it is absolutely necessary, do not export anything from your secure EHR. Exporting PHI onto a portable device to access it outside your office is a high risk if the data is not encrypted; it is rather advisable to use secure remote access tools to access the information from outside the office and avoid exporting any data.
In order to maintain security and compliance your network and portable devices must be professionally managed to ensure that all protected data is secure and that access is tracked according to HIPAA. Rules. Even if it is a small practice you should have a strict policy requiring prior authorization to export data from your EHR system. And these rules should apply to everyone; Doctors and executives should not be exempt.
ENCRYPTION should be used to protect data on ALL devices – portable and stationary. Encrypting data allows you to avoid a HIPAA penalty because the HIPAA Breach Notification Rule says you do not have to report the loss of encrypted data. Encryption costs a lot less than notifying patients, facing government investigations and lawsuits, and paying for things like credit monitoring for all of your patients.
Have a risk analysis conducted by a professional rather than doing one yourself and risking a HIPAA penalty. There may be lot of protected patient data all over the place—on unencrypted portable devices like laptops, thumb drives, smart phones, and voice recorders; in the Cloud in unsecure and non-compliant (and sometimes free) e-mail, texting, and file sharing services; and with vendors, many of which had not signed Business Associate Agreements. Using a certified compliance expert will help identify these problems and solutions that you may miss, perhaps with disastrous results.
