How a simple fax can cost you a HIPAA Violation – and 3 easy steps to protect yourself.

June 9, 2014

As you should know, HIPAA security and privacy practices must be followed without exception. In a recent article posted in Renal & Urology News fax containing medical information was sent to the patient’s employer instead of his doctor. The patient had HIV and now his employer knew.

The patient was very upset and notified the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) about the Organization’s violation. In addition, HHS and OCR launched an investigation. According to the article after a thorough investigation, OCR issued a letter of warning to the office manager, referred the office staff for HIPAA privacy and security training, and had the office revise their fax cover sheets to underscore that they contain confidential communication for the intended recipient only. This firm was lucky: penalties could have been up to $1.5 million per violation.

In this particular case, The Practice recognized their mistake and immediately tried to take corrective action. The Organization voluntarily agreed to extra compliance training for the staff and to a change in their faxing procedures to indicate that the faxed materials are confidential.

In this scenario, the HIPAA violation was the result of a careless error. Although careless errors can happen to anyone, one such as this could cause irreparable harm to the patient if his employer now views or treats him differently because of the new knowledge of his HIV-positive status. It could also destroy the Organization’s reputation, put them out of business with fines they cannot pay, or even result in jail time. With proper training, policies, and documentation issues like this can be reduced.

Practical Advice

Protect Yourself with 3 easy steps

The following steps can be taken to help protect your Organization from Fax related issues.

  1. Procedures should always be followed to ensure correct transmission and receipt of faxes by intended recipient are confirmed.
  2. When sending case/patient-related information outside of your facility, always use a fax cover sheet for additional PHI protection.
  3. The fax cover page must contain at least:
    1. A clear indication of confidentiality (for example, a large title stating “Confidential Health Information Enclosed.”)
    2. Marked current Date and time of the fax being sent
    3. Sender’s name/organization name, title (if relevant), mailing address, phone number, and return fax number.
    4. The name, telephone number, and (intended) fax number of the authorized recipient you are sending information to.
    5. Include necessary information about verification of receipt of the fax.
    6. Indicate how many pages are being transmitted

Follow your common sense, too:  treat confidential information of a patient as securely, as you would want yours to be treated, and then add a little extra security on top for good measure!

IT Support NJ - Reputable highly rated Small Business IT services and tech support company in New Jersey - powersolution industry awards
IT support NJ - Reputable highly rated Small Business IT services and tech support company in New Jersey - powersolution IT industry awards
Scroll to Top