Health Information Management

Q&A: Does a faxing error need to be included in an accounting of disclosures?

HIM-HIPAA Insider, October 25, 2011

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Q: A fax containing protected health information (PHI) is sent to an incorrect fax number. Did the covered entity (CE) or business ­associate (BA) violate HIPAA? Must the patient disclosure accounting record include this incident?

A: Faxing PHI to a wrong number is a disclosure of PHI not authorized by the patient that must be included in the patient disclosure accounting.
 
This incident represents a breach of unsecure PHI. If the CE determines that faxing the PHI to a wrong number will likely cause significant harm to the patient, it must notify the patient, add the breach-related information to its breach log, and report the breach to the Office of Civil Rights within 60 days of the end of the calendar year.
 
Note that if a CE or BA has implemented appropriate security controls to reasonably ensure PHI is not inappropriately disclosed and has implemented appropriate incident response practices (including breach notification policies, procedures, and practices), it is likely no HIPAA violation occurred.
 
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered the previous question in the October issue of Briefings on HIPAA.



Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular