Corporate Compliance

Q&A: Notifying patients after a faxing mistake

Compliance Monitor, August 5, 2009

Q: A secretary in our pathology department faxed a report to a physician’s office. After dialing, she realized the last two digits of the fax number were incorrect and tried unsuccessfully to stop the fax. An attorney’s office received the fax and called to notify us. Must we contact patients and inform them when something like this occurs?

A: If the fax included the patient’s Social Security number, you probably need to inform the patient. Otherwise, no legal requirement to notify the patient currently exists. This will change August 18, when the new national breach notification requirements become effective (part of the American Recovery and Reinvestment Act, Title XIII, Subpart D).

After August 18, you must notify patients in the manner described in the new statute, maintain a breach log that includes all breaches involving fewer than 500 patients, report any breaches involving 500 individuals or more at the time of the breach to HHS, and forward a copy of the breach log to HHS at the end of each year.
Although the current law does not require you to inform the patient, doing so is a good idea because it: 
  • Demonstrates a good-faith effort to inform the patient when information is inappropriately disclosed
  • Demonstrates due diligence
  • Promotes trust in your organization (learning about an inappropriate release of information or breach from you is preferable to learning about it from a news organization or other media)
  • Helps limit your legal risk 
I advise you to notify the patient even though the law does not require you to do so (unless the fax included a Social Security number).
Chris Apgar, CISSP, answered this question in the August 2009 issue of the HCPro newsletter Briefings on HIPAA. For more information about this newsletter visit the HCMarketplace.

Most Popular