Call Us Today 314-272-2600 | Support@HIPAAtrek.com

Have you ever sent a fax to the wrong recipient? This is a common error. Besides frustrating, a misdirected fax can also be harmful. As a healthcare organization, you must comply with the HIPAA Privacy Rule, which means sending a fax to the wrong recipient could be a breach.

Is a Misdirected Fax a Privacy Breach?

If the fax contained a patient’s protected health information (PHI), then sending it to the wrong recipient means you’ve disclosed the PHI to someone who isn’t authorized to see it. According to HIPAA, the fax in this case is an impermissible disclosure (i.e. not allowed by the Privacy Rule). You should assume any impermissible disclosure of patient data is a privacy breach until proven otherwise.

So, what should you or your staff do when a fax is sent in error?  Any impermissible disclosure of patient information should be reported to your privacy officer (or you, if you’re the privacy officer). Make sure your team knows their responsibility to report possible breaches.

To see whether or not the misdirected fax was a breach, the privacy officer needs to conduct a breach risk assessment. A breach risk assessment also reveals the severity of a breach based on four factors.

LEARN MORE: What is a Four-Factor Breach Risk Assessment?

Let’s look at two common misdirected fax scenarios and what you may find on a breach risk assessment.

Scenario 1: Fax Sent to a Gas Station

Your clinic accidently sent a fax to a local gas station. The fax included a surgical summary with the patient’s full name, DOB, phone number, address, and diagnosis. When you contacted the gas station, they said they’d thrown the fax in the trash can yesterday.

You conduct a breach risk assessment and determine whether the risk is low, medium, or high in each of the four following categories:

Scenario 1 Breach Risk Assessment

Factor 1What information was involved?Data included the patient’s diagnosis as well as demographic information (DOB, full name, and address).HIGH RISK
Factor 2Who was the unauthorized recipient, and are they obligated to protect the data?The gas station employees could identify the individual using the fax. The gas station is not obligated to protect PHI.  HIGH RISK
Factor 3Did the recipient actually acquire or view the PHI?Someone at the gas station actually saw the fax, enough to recognize it was not for them.HIGH RISK
Factor 4To what extent has your organization mitigated the risk?You’re unable to mitigate the risk. The gas station trashed the fax and did not shred it.HIGH RISK

Overall Risk: HIGH

This breach risk assessment concludes that the risk that PHI was compromised is greater than low (it is high). Therefore, the privacy officer will need to send a notification to the patient whose information was compromised.

LEARN MORE: HIPAA Breach Notification: Who, When, and How

Scenario 2: Fax Sent to a Social Security Administration Office

Your clinic accidently sent a fax to a local Social Security Administration office. The fax included a billing summary with the patient’s full name, date of service, and a diagnosis code.  When you contacted the office, they said they’d suspected it was sensitive information, though they didn’t understand the data, and shredded the document within moments of receiving it.

You conduct the breach risk assessment below:

Scenario 2 Breach Risk Assessment

Factor 1What information was involved?Data included the full name, date of service, and a diagnosis code.LOW RISK
Factor 2Who was the unauthorized recipient, and are they obligated to protect the data?The SSN office could identify the patient, but nothing else. The office must also protect personal data under the Privacy Act of 1974.LOW RISK
Factor 3Did the recipient actually acquire or view the PHI?Someone at the office actually viewed the PHI.MEDIUM RISK
Factor 4To what extent has your organization mitigated the risk?The office shredded the fax moments after receiving it.LOW RISK

Overall Risk: LOW

This breach risk assessment concludes that the risk that PHI was compromised is not greater than low. Therefore, the privacy officer does not need to send a notification to the patient.

The Takeaway

Don’t ignore mistakes that may seem common or harmless! When you’re dealing with sensitive patient information, you’re obligated to keep it private and secure. If you or someone at your organization sends a fax to the wrong recipient, the incident should be reported and carefully assessed.

Need a little extra guidance?

Our HIPAA compliance software helps you respond quickly to potential breaches. The integrated Breach Risk Assessment Tool prompts you to analyze the risk to PHI based on the four factors described above.

Screenshot of HIPAAtrek's Breach Risk Assessment Tool

Factors 1 and 2 in the Breach Risk Assessment Tool. Rate all four factors low, medium, or high risk to see your overall level of risk.

After completing the risk assessment, you’ll see whether or not a breach has occurred, as well as your level of risk. If a breach has occurred, you can enter the details and mitigation efforts into a breach log with the click of a button.

Screenshot of a breach risk assessment result

If your risk is greater than low, HIPAAtrek will prompt you to log the breach.

Request a personalized demo of HIPAAtrek or contact us to learn how we can help you create a culture of compliance.

Please share to your communities