Health Information Management

HIPAA Q&A: Faxes to wrong number

HIM-HIPAA Insider, October 3, 2011

Q. A fax containing PHI is sent to an incorrect fax number. Did the covered entity (CE) or business associate (BA) violate HIPAA? Must we include this incident in the patient disclosure accounting record?

A. Faxing PHI to a wrong number is a disclosure of PHI not authorized by the patient and must be included in the patient disclosure accounting. This incident represents a breach of unsecure PHI. If the CE determines that faxing the PHI to a wrong number will likely cause significant harm to the patient, it must notify the patient, add the breach-related information to its breach log, and report the breach to OCR within 60 days of the end of the calendar year.

If a CE or BA has implemented appropriate security controls to reasonably ensure PHI is not inappropriately disclosed and has implemented appropriate incident response practices (including breach notification policies, procedures, and practices), it is likely no HIPAA violation occurred.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question. He has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.


    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular