A misdirected fax, with at time sensitive information, can be sent to the wrong fax number. It happens more than practices let on. However, a misdirected fax may not only be inconvemenient but may also be harmful. Sending a fax to the incorrect person/ recipient could constitute a breach since, as a healthcare organization, you are required to adhere to HIPAA privacy rules.
Sending the fax to the wrong destination indicates that you gave someone who isn’t allowed to see it access to protected health information about the patient. The fax, in this instance, violates HIPAA since it contains personal information. Until otherwise demonstrated, you should consider any unauthorized disclosure of patient information a privacy violation.
In the event that fax is issued in error, what should you or your team do? First, a privacy officer should be notified of improper patient information disclosure. Make sure everyone on your team knows their obligation to report potential violations.
The privacy officer needs a breach risk assessment to determine whether or not the misdirected fax constituted a breach. The severity of a breach is also revealed by this assessment based on four variables.
Let’s dive into two common misdirected fax scenarios and learn what you can find on a breach risk assessment.
For instance, unintentionally, your clinic sent a fax to a nearby gas station. A surgical report was sent via fax along with the patient’s full name, date of birth, contact information, and medical condition. The gas station claimed to have put the fax in the garbage yesterday when you contacted them.
You can carry out a breach risk assessment and decide whether each of the following four categories has a low, medium, or high risk.
According to this breach risk assessment, there is a higher than a low probability that PHI was compromised. As a result, the patient whose information was compromised will need notification from the privacy officer.
In another instance, your clinic sent a fax to the nearby social security administration office. The patient’s full name, date of service, and diagnosis code were all listed on the billing summary that was sent via fax.
When you contacted the office, they claimed that they had immediately destroyed the paper after receiving it despite not understanding the data but having a sneaking suspicion that it included critical information.
According to the breach risk assessment, there is no higher than the low chance that PHI was compromised. As a result, the patient won’t need to get a notification from the privacy officer.
Mistakes that seem ordinary or innocuous shouldn’t be disregarded! You are responsible for protecting and maintaining the privacy of sensitive patient data. Sending a fax to the incorrect person is unacceptable, and the issue should be reported and thoroughly investigated.
Our HIPAA compliance fax software directs faxes digitally to numbers listed in the account, avoiding mistakes of typing in the wrong numbers.