Have you ever sent a fax to the wrong recipient? This is a common error. Besides frustrating, a misdirected fax can also be harmful. As a healthcare organization, you must comply with the HIPAA Privacy Rule, which means sending a fax to the wrong recipient could be a breach.
Is a Misdirected Fax a Privacy Breach?
If the fax contained a patient’s protected health information (PHI), then sending it to the wrong recipient means you’ve disclosed the PHI to someone who isn’t authorized to see it. According to HIPAA, the fax in this case is an impermissible disclosure (i.e. not allowed by the Privacy Rule). You should assume any impermissible disclosure of patient data is a privacy breach until proven otherwise.
So, what should you or your staff do when a fax is sent in error? Any impermissible disclosure of patient information should be reported to your privacy officer (or you, if you’re the privacy officer). Make sure your team knows their responsibility to report possible breaches.
To see whether or not the misdirected fax was a breach, the privacy officer needs to conduct a breach risk assessment. A breach risk assessment also reveals the severity of a breach based on four factors.
LEARN MORE: What is a Four-Factor Breach Risk Assessment?
Let’s look at two common misdirected fax scenarios and what you may find on a breach risk assessment.
Scenario 1: Fax Sent to a Gas Station
Your clinic accidently sent a fax to a local gas station. The fax included a surgical summary with the patient’s full name, DOB, phone number, address, and diagnosis. When you contacted the gas station, they said they’d thrown the fax in the trash can yesterday.
You conduct a breach risk assessment and determine whether the risk is low, medium, or high in each of the four following categories:
Scenario 1 Breach Risk Assessment
| Factor 1 | What information was involved? | Data included the patient’s diagnosis as well as demographic information (DOB, full name, and address). | HIGH RISK |
| Factor 2 | Who was the unauthorized recipient, and are they obligated to protect the data? | The gas station employees could identify the individual using the fax. The gas station is not obligated to protect PHI. | HIGH RISK |
| Factor 3 | Did the recipient actually acquire or view the PHI? | Someone at the gas station actually saw the fax, enough to recognize it was not for them. | HIGH RISK |
| Factor 4 | To what extent has your organization mitigated the risk? | You’re unable to mitigate the risk. The gas station trashed the fax and did not shred it. | HIGH RISK |
Overall Risk: HIGH
This breach risk assessment concludes that the risk that PHI was compromised is greater than low (it is high). Therefore, the privacy officer will need to send a notification to the patient whose information was compromised.
LEARN MORE: HIPAA Breach Notification: Who, When, and How
Scenario 2: Fax Sent to a Social Security Administration Office
Your clinic accidently sent a fax to a local Social Security Administration office. The fax included a billing summary with the patient’s full name, date of service, and a diagnosis code. When you contacted the office, they said they’d suspected it was sensitive information, though they didn’t understand the data, and shredded the document within moments of receiving it.
You conduct the breach risk assessment below:
Scenario 2 Breach Risk Assessment
| Factor 1 | What information was involved? | Data included the full name, date of service, and a diagnosis code. | LOW RISK |
| Factor 2 | Who was the unauthorized recipient, and are they obligated to protect the data? | The SSN office could identify the patient, but nothing else. The office must also protect personal data under the Privacy Act of 1974. | LOW RISK |
| Factor 3 | Did the recipient actually acquire or view the PHI? | Someone at the office actually viewed the PHI. | MEDIUM RISK |
| Factor 4 | To what extent has your organization mitigated the risk? | The office shredded the fax moments after receiving it. | LOW RISK |
Overall Risk: LOW
This breach risk assessment concludes that the risk that PHI was compromised is not greater than low. Therefore, the privacy officer does not need to send a notification to the patient.
Go back to basics with our PHI Decision Tree!
This simple cheat sheet makes it easy to recognize when you’re interacting with protected health information.
The Takeaway
Don’t ignore mistakes that may seem common or harmless! When you’re dealing with sensitive patient information, you’re obligated to keep it private and secure. If you or someone at your organization sends a fax to the wrong recipient, the incident should be reported and carefully assessed.
Need a little extra guidance?
Our HIPAA compliance software helps you respond quickly to potential breaches. The integrated Breach Risk Assessment Tool prompts you to analyze the risk to PHI based on the four factors described above.
After completing the risk assessment, you’ll see whether or not a breach has occurred, as well as your level of risk. If a breach has occurred, you can enter the details and mitigation efforts into a breach log with the click of a button.
Request a personalized demo of HIPAAtrek or contact us to learn how we can help you create a culture of compliance.
