Confidentiality, Privacy and Security

Misdirected Fax

  • 1.  Misdirected Fax

    Posted 06-20-2019 14:33
    Good afternoon,

    I have seen several discussions about this topic, but I couldn't find one specific to a situation we are experiencing.  Our registration department entered in the wrong physician in the system resulting in the operative report being automatically faxed to the wrong surgeon.  The surgeon has privileges at our hospital but is not employed by us.

    I do not necessarily think this is a breach since we are both covered entities and the information was either returned or destroyed, especially after reviewing CMS guidelines, but I wanted to make sure.  The risk of disclosure was minimal.

     Thank you!
    Jesse Floyd

    Jesse Floyd, RHIA

  • 2.  RE: Misdirected Fax

    Posted 06-20-2019 15:35
    If after doing a risk assessment you determine that the risk in minimal or the probability of exposure to the patient is low then you can document the issue and why you feel it is not a breach and be done with it.

    Thanks Kris

    Kris Lundell MBA,  CIPP/US, CiPT, CHP, CHPS, HCISPP
    Privacy and Security Consultants LLC

  • 3.  RE: Misdirected Fax

    Posted 06-20-2019 20:40
    I agree. Though it is a violation the risk is low and wouldn’t be a breach.

    Thank you,

  • 4.  RE: Misdirected Fax

    Posted 06-21-2019 07:46
    ​Since this physician is on your Medical Staff, you do not have to consider this a breach - employment doesn't factor in.....if the physician was not on your Medical Staff, it would be considered a breach........

    Wendy Mangin
    Executive Project Director
    Good Samaritan

  • 5.  RE: Misdirected Fax

    Posted 06-21-2019 10:41
    We would not consider this a breach.  It went to another CE who returned or destroyed.  We would complete a breach risk analysis just to formally record our decision.

    Kathryn Boyes
    Director, HIM

  • 6.  RE: Misdirected Fax

    Posted 06-21-2019 14:24
    With any privacy incident, you would start with the default of it being a breach.  Review against the exclusion list, and if it meets an exclusion, it would be not be considered a breach.  These exclusions are very specific.

    If it does not meet an exclusion, it is a breach but through your risk assessment, may be of low enough risk that you can justify not providing patient notification of the breach.   Your review process would determine how you would respond to different risk assessment outcomes.

    Marianne Dailey, RHIA, CHP, CPHQ
    Director Him & Privacy Officer

  • 7.  RE: Misdirected Fax

    Posted 06-21-2019 14:39
    Does anyone have an exclusion list they could share?

    Ta-Tanisha Ingram, MSM, RHIA, CHPS

  • 8.  RE: Misdirected Fax

    Posted 06-21-2019 16:11
    It falls under the exception, however if this is an issue then I would have some training with the staff. You got lucky this time next time may not be so luck.

    Casey Bastemeyer
    Lead HIPAA & Coding Compliance Partner
    Ensign Group

  • 9.  RE: Misdirected Fax

    Posted 06-26-2019 00:39
    Thank you all for your responses.  I forwarded them to the Privacy Officer and Compliance Officer.  I appreciate everyone's input!

    Jesse Floyd, RHIA