Recently,
a client called in requesting clarification of whether they had violated HIPAA
Privacy rules due to faxing protected health information (PHI). The following
was their scenario and our answer:
Scenario: Last week, a private individual notified a clinic that he has
been receiving faxed PHI pertaining to its patients from sources other than the
clinic. His home fax number differs from the clinic by only one number.
The individual has said the clinic has a legal obligation to report the breach. The
clinic believes it is not violating HIPAA because another sender faxed the PHI.
The individual has not communicated the source of the faxes containing the PHI.
The clinic has taken reasonable measures to ensure those staff members who
provide its fax number ask senders to repeat the number and to notify them of
the likelihood they will be sending faxes to similar numbers.
Answer: The interim final breach notification rule does not
require the clinic to notify patients when another entity or individual faxes their
PHI to an unauthorized individual. Responsibility for doing so lies with the
entity or individual faxing patient PHI to the wrong number. The clinic appears
to be taking reasonable steps to ensure that its fax number is communicated
correctly. The clinic also appears to be informing individuals who send it PHI
via fax to exercise care to avoid inadvertently sending information to an
unauthorized entity or individual.