Do individuals have a right under HIPAA to have their PHI downloaded on portable media that they provide?
Whether PHI is “readily producible” for purposes of providing access will depend on the extent to which the requested method of copying, transfer, or transmission is within the capabilities of the covered entity and would not present an unacceptable level of risk to the security of the PHI on the covered entity’s systems, based on the covered entity’s Security Rule risk analysis.
With respect to portable media supplied by an individual, covered entities are required by the Security Rule to perform a risk analysis related to the potential use of external portable media and are not required to accept the external media if they determine there is an unacceptable level of risk to the PHI on their systems. However, covered entities are not then permitted to require individuals to purchase a portable media device from the covered entity if the individual does not wish to do so. The individual may in such cases opt to receive an alternative form of the electronic copy of the PHI, such as through email.