Storing Information

Storing Information

I Background

Often the agency is the only entity that has the true and complete identifying and contact information for all parties involved in an egg donation and surrogacy agreement. Although this is less true for surrogacy, the agency still acts as a facilitator and generally communicates with all parties to an agreement.

Many anonymous egg donation contracts between the IPs and Egg Donors state that each party may contact the other in the future to discuss medical concerns or genetic questions. Furthermore, the donor is often under a legal obligation to keep the IPs informed of any health conditions she may develop that have a genetic component. In order to facilitate this communication, the donor is often advised to provide her agency with this information so that it may be passed along to the IPs should it become necessary.

II Standards

The agency should keep all identifying and contact information for all parties. The agency must bear the burden of maintaining all records as long as they are in operation, with18 years being the minimum. The records need not be in the form of a hard copy longer than one year, as long as they are in a well-organized and easily searchable database.

If the agency closes their doors, they should be obligated to contact all parties and use their best efforts to disseminate records to each party rather than destroying them. Best practices shall include the following attempts to contact the parties in an effort to distribute records: (1) Send an email through a trackable system like Constant Contact, etc.; (2) Follow up with certified mail through USPS to those that do not respond to the email; (3) Contact the parties at their last known phone number if they have not responded to email or regular mail. The Parties should be given 6 months notice in order to collect their records. If the agency is selling to a new entity, then they should be required to take the same steps, but shall be permitted a shorter time window of 60 days as the records will simply be transferred rather than destroyed.

In order to maintain accurate records the agencies should attempt to collect medical updates from their egg donors annually by sending emails to all active and inactive Egg Donors in their database.

In order for agencies to best protect themselves from liability, they should use up-to-date technology to collect, store and search data for each case. This technology should include password encryption. (For physical documents, they should be kept in a secure storage systems).

2 Comments on “Storing Information”

  1. Hi can you offer a suggestion of an “up-to-date technology to collect, store and search data” for donor information?

    Thank you,

  2. Hi Camille,

    Microsoft OneDrive for business is a great solution and adheres to a HIPAA-compliant business associate agreement (BAA). See the below information from HIPAA Journal:

    Microsoft was one of the first cloud service providers to agree to sign a BAA with HIPAA-covered entities, and offers a BAA through the Online Services Terms. Under the terms of its business associate agreement, Microsoft agrees to place limitations on use and disclosure of ePHI, implement safeguards to prevent inappropriate use, report to consumers and provide access to PHI, on request, per the HIPAA Privacy Rule. Microsoft will also ensure that if any subcontractors are used, they will comply with the same – or more stringent – restrictions and conditions with respect to PHI.

    Provided the BAA is signed prior to the use of OneDrive for creating, storing, or sharing PHI, the service can be used without violating HIPAA Rules.

    Microsoft explains that all appropriate security controls are included in OneDrive, and while HIPAA compliance certification has not been obtained, all of the services and software covered by the BAA have been independently audited for the Microsoft ISO/IEC 27001 certification.

    Appropriate security controls are included to satisfy the requirements of the HIPAA Security Rule, including the encryption of data at rest and in transit to HIPAA standards. Microsoft uses 256-bit AES encryption and SSl/TLS connections are established using 2048-bit keys.

Leave a Reply

Your email address will not be published. Required fields are marked *