An Ohio resident recently told local news that she has been receiving faxes from a local hospital for the past year.
The problem? The faxes, which contained medical information for another individual, were not meant for her. The faxes included another individual's weight, diagnoses and medication information.
The recipient of the faxes told the media she tried notifying the hospital of the misdirected faxes several times. She says she called the number on the faxes, as well as the hospital's main phone number - and faxed the hospital - but the faxes continued.
After ABC 6 On Your Side contacted the hospital, the hospital audited fax logs and identified that "three faxes were sent to the individual in error due to a transposed fax number in one patient's record."
The hospital notified the patient and apologized - and the woman who received the faxes in error shredded them. But, the story still appeared in local news and made its way into the HIPAA blogosphere.
Transposing a fax number is an honest mistake - one many of us can sympathize with. Still, the stakes are high in today's world of record HIPAA enforcement and high patient expectations of privacy.
This is certainly not the first time a misdirected fax landed a provider in the headlines.
In 2014, the OCR received a complaint alleging that a health center disclosed sensitive PHI, including a patient’s HIV status, treatment information, STDs, medications, sexual orientation, mental health diagnosis and physical abuse. The provider paid a $387,200 fine, and entered a resolution agreement and corrective action plan with the OCR for possible HIPAA violations.
The OCR investigation found that the health center faxed one patient's PHI to the patient's employer, and faxed another patient's PHI to an office where that patient volunteered. The OCR stated that the health center failed to reasonably safeguard the PHI from "intentional and unintentional disclosure."
What can you do?
Include faxes in your new employee training, annual HIPAA training, and ongoing HIPAA updates. Make sure staff understand that when it comes to faxes, HIPAA violations are almost always unintentional. Establish faxing protocols to minimize errors. Address faxes in your HIPAA security risk analysis, and include fax protocols in your HIPAA walk through audits. Finally, if you do have a misdirected fax, your investigation will be a lot easier if you have the capability of pulling fax logs, like the Ohio hospital in the first example did.