Patient records on USB memory sticks or email
Do not let a USB device plug into your computer from an outside source (e.g. a patient) to copy data. This would be very unsafe and outwith most information governance policies.
Remember if putting data onto disc/USB/data device that you should suitably encrypt the data and this is especially important if the data is going to a third party.
In this increasing technological age we are hearing practices receiving requests from patients to copy their medical records onto memory stocks or send in an email.
We would suggest that this is not part of your contract and you do not have to do this service for your patients. If you do provide this service we would suggest that both email and USB sticks are a very insecure medium of transport/ transfer and that you would need explicit written consent from the patient highlighting that this highly personal information will not be secure. You would also need to find a method of redacting the records to remove any third party references or content that would be harmful to the patient prior to the transfer which in some cases could be a significant workload. Under the DPA if only using electronic records you would only be able to charge a maximum of £10.
We do not recommend using patient provided USB sticks at all as they are viewed as a potential security threat to your computer and fall outside of most information governance policies. If you did then you would need as a minimum to ensure that they would encrypt the data.
In summary we think something that you do not have to provide and that if you choose to, this is a complex area fraught with risk and high workload.