As you should know, HIPAA security and privacy practices must be followed without exception. In a recent article posted in Reneal & Urology News a fax containing medical information was sent to the patients employer instead of his doctor. The patient had HIV and now his employer knew.
The patient was very upset and notified the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) about the Organization’s violation and subsequently HHS and OCR launched an investigation. According to the article after a thorough investigation, OCR issued a letter of warning to the office manager, referred the office staff for HIPAA privacy and security training, and had the office revise their fax cover sheets to underscore that they contain confidential communication for the intended recipient only. This firm was lucky as currently penalties could be up to $1.5 million per violation.
In this particular case, The Practice recognized their mistake and immediately tried to take corrective action. The Organization voluntarily agreed to extra compliance training for the staff and to a change in their faxing procedures to indicate that the faxed materials are confidential.
In this scenario the HIPAA violation was the result of a careless error. Although careless errors can happen to anyone, one such as this could cause irreparable harm to the patient if his employer now views or treats him differently because of the new knowledge of his HIV-positive status. It could also destroy the Organization’s reputation, put them out of business with fines they cannot pay, or even result in jail time. With proper training, policies, and documentation issues like this can be reduced.
Protect Yourself with 3 easy steps
The following steps can be taken to help protect your Organization from Fax related issues.
- Procedures should always be followed to ensure correct transmission and receipt of faxes by intended recipient are confirmed.
- A fax cover sheet should always be utilized when faxing patient information outside the Organization.
- A Confidential Fax Coversheet to provide extra protection for PHI and demonstrate your due diligence in this area. At a minimum the coversheet should contain:
- The title, in bold “Confidential Health Information Enclosed.”
- Date and time of the fax
- Sender’s name, address, telephone number and fax number
- The authorized recipient’s name, telephone number and fax number
- Number of pages transmitted
- Information regarding verification of receipt of the fax.
A good rule of thumb to follow is to treat a patient’s confidential information as you would want yours to be treated, and then add a little extra security for good measure.