We have received some recent inquiries from offices regarding the following question:
If a patient's results go to a physician who is not providing direct or indirect treatment to the patient, this would be considered an incident involving an unauthorized disclosure, and as many of you know, would be considered a HIPAA violation. The good news is that (in the example above) since both physicians would also be considered covered entities, they too are bound to comply with the HIPAA regulations, so the risk of harm to the patient would be in the low to extremely low range.
Thus, you would need to record this in the accounting of disclosures database or tracking mechanism (Disclosure Log) for this patient. Other than that, you are good to go, and hopefully whatever caused the mix-up can be chalked up to a good lesson learned without too much pain.