In Canada (where privacy laws are similar to HIPAA), a man requested his surgery records, and soon received a package in the mail from the hospital. When he opened the package, however, he did not find his surgery records—he found another man’s autopsy.
The man contacted the hospital, but claims he did not receive an immediate response. He claims he was later asked to bring the package to the hospital. He ended up mailing the documents back to the hospital. The hospital stated that the documents were not returned.
That same week, a woman received test results for four other people by courier from the same hospital. The test results were in sealed envelopes, addressed to four different women. The woman who received the package called the hospital, who asked her to return the documents - a challenging task for the woman, who lives outside the city and does not drive. The hospital then suggested she bring the letters to a local health center or put the letters in a cab.
Frustrated, the woman went on Facebook to try and find the woman whose test results she received. Then, the local news got involved, and this story made its way into the HIPAA blogosphere.
What you can do
We can likely all agree these were missed opportunities for the hospital.
Train all staff who could receive reports of misdirected PHI, particularly anyone answering phones (such as receptionists, and people working in medical records departments). Make sure these calls are handled courteously, and that the caller is kept on the line until the Privacy Officer or another appropriate party gets on the phone to resolve the issue. Avoid taking a message if at all possible. Keep in mind that your reaction to these reports could mitigate a breach, or create a second breach. It might be necessary to drive to someone's house to retrieve a document - and it might be worth it.