Health Information Management

HIPAA Q&A: You’ve got questions. We’ve got answers!

HIM-HIPAA Insider, July 14, 2014

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Submit your HIPAA questions to Editor Jaclyn Fitzgerald at and we will work with our experts to provide you with the information you need.

Q: Is an organization required to notify a patient of a misdirected fax containing his or her PHI?
A: It depends on the circumstances. For every incident, the covered entity (CE) is required to conduct a breach assessment to determine whether the information is compromised and whether mitigation has occurred. This includes determining whether it was an unintentional disclosure between one workforce member/BA to another.
CEs must also determine whether there is a chance the recipient could have read and retained the information.
Some organizations have determined after risk assessments that if a recipient of a fax is a CE, in which case they are also legally obligated to protect PHI, that the incident is not reportable. However, each circumstance is different.
For example, if a recipient knows the patient, this could sway toward notification as would the presence of sensitive information. If a recipient notifies your organization and destroys or returns the PHI, you might decide that the PHI was not compromised and notification is not necessary.
Documenting your analysis and reasons for determining whether the patient and HHS must be notified about the misdirected fax is essential.
Editor’s note: Chris Simons, MS, RHIA, director of HIM and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing newsletter.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular