Health Information Management

Q&A: PHI faxed to the incorrect phone number

HIM-HIPAA Insider, May 3, 2011

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Q: A private individual notified a clinic that he has been receiving faxed protected health information (PHI) pertaining to its patients from sources other than the clinic. His home fax number differs from the clinic by only one number.

This individual has said the clinic has a legal obligation to report the breach. Please clarify. The clinic believes it is not violating HIPAA because another sender faxed the PHI. The individual has not communicated the source of the faxes containing the PHI. The clinic has taken reasonable measures to ensure that staff members who provide its fax number ask senders to repeat the number and to notify them of the likelihood they will be sending faxes to similar numbers.
A: The interim final breach notification rule does not require the clinic to notify patients when another entity or individual faxes their PHI to an unauthorized individual. Responsibility for doing so lies with the entity or individual faxing patient PHI to the wrong number. The clinic appears to be taking reasonable steps to ensure that its fax number is communicated correctly. The clinic also appears to be informing individuals who send it PHI via fax to exercise care to avoid inadvertently sending information to an unauthorized entity or individual. Refer to 45 CFR 164.404.
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR answered this question in the May issue of Briefings on HIPAA.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular