Legal Pearls: Misdirected Fax Results in HIPAA Violation
One morning, Dr L got a call from a long-time patient. The patient, who had HIV, had been seeing Dr L for close to a decade. Although he was happy with his medical care from Dr L, the patient’s company was transferring him to another state and was going to be relocating in the next few weeks. He called to ask the physician to fax his medical records to the new physician he had chosen.
The physician didn’t think about it again until a few days later when the office manager asked to speak to him privately.
“I’m so sorry,” the office manager began. “The patient just called–he was absolutely furious. He says that we faxed his medical records to his employer rather than his new physician, and that now his company is aware of his HIV status.
How should Dr L handle this situation?
(Discussion on next page)
Ann W. Latner, JD, is a freelance writer and attorney based in New York. She was formerly the director of periodicals at the American Pharmacists Association and editor of Pharmacy Times.
It has been close to 15 years since the Health Insurance Portability and Accountability Act (HIPAA)’s privacy rules began to be enforced. The rules provide safeguards to protect the privacy of personal health information and limits on uses and disclosures of this information without the patient’s authorization.
This month we look at how easily a HIPAA violation can happen.
The Scenario
Dr L, age 48 years, was a general practitioner whose practice was thriving. He employed a physician assistant, nurse, and office manager to help run the office.
One morning, the physician got a call from a long-time patient, Mr V, aged 50 years. The patient, who had HIV, had been seeing Dr L for close to a decade. Although he was happy with his medical care from Dr L, the patient’s company was transferring him to another state and was going to be relocating in the next few weeks. He called to ask the physician to fax his medical records to the new physician he had chosen. Dr L wished the patient well, and transferred the call back to the office manager, who would be sending the records.
The office manager was extremely busy with multiple tasks, but she sent the fax out later that day. The office did not have personalized fax cover sheets, just sheets that the office manager printed once a week which had spaces to fill in the “to” and “from” sections. She quickly filled them in and sent the fax out, all the while trying to sign patients in and deal with billing issues. At the end of the day, she told Dr L that it was done.
The physician didn’t think about it again until a few days later when the office manager asked to speak to him privately. She was pale and looked stricken and the doctor asked if she were okay.
“I’m so sorry,” the office manager began. “Mr V just called–he was absolutely furious. He says that we faxed his medical records to his employer rather than his new physician, and that now his company is aware of his HIV status. He is extremely upset.” She took a shaky breath.
“I’m sorry,” she said again, “I was the one who sent the fax out. I must have accidentally written in the wrong number from the file. What should we do?”
The physician began rubbing his head, which was suddenly throbbing, as he tried to figure out how to remedy the situation.
“Okay,” he said, “First we’ll call the patient and apologize. Maybe that will be enough.”
Both the office manager and Dr L got on the phone with the patient, explained what had happened and apologized profusely for the error. The patient understood that it had been a mistake and wasn’t done with malicious intent, but he was still angry and unsatisfied and so he reported the incident to the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), which enforces HIPAA. An initial review of the incident indicated that it was not criminal, so it was not referred to the Department of Justice (who would prosecute a criminal violation).
Instead, officials from the OCR appeared at Dr L’s office and began a thorough investigation. At the end of the investigation, the OCR issued a letter of warning to the office manager, referred the office staff for HIPAA privacy training, and had the office create fax cover sheets to underscore that they contain a confidential communication for the intended recipient only.
HIPAA Enforcement
Enforcement of HIPAA’s Privacy Rule began in April 2003. Since that compliance date, the OCR has received over 167,000 HIPAA complaints (as of October 31, 2017). According to HHS, in over half the cases, OCR determined that the complaint wasn’t eligible for enforcement. This is due to a variety of reasons, including that OCR lacked jurisdiction, or that the complaint was withdrawn or did not constitute a violation of HIPAA.
Of those complaints that are enforced, over 25,000 cases have been resolved by OCR requiring changes in privacy practices and corrective actions by HIPAA covered entities. (This includes the training and fax cover sheet revision advice provided to Dr L and his staff).
In some cases, civil monetary penalties are charged. The HHS reports that to date, OCR has imposed fines totaling close to $73 million dollars.
According to the HHS, the 2 compliance issues most commonly investigated are impermissible uses and disclosures of protected health information and lack of safeguards of protected health information. Physicians and private practices are second only to general hospitals as those who have been required to take corrective action to achieve compliance.
What’s the Take-Home?
This scenario was the result of an unfortunate careless error. Although a careless error could happen to anyone, an error like this could cause irreparable harm to the patient if he is treated differently by his employer due to his protected health information (HIV status) being revealed.
It is essential to treat confidential patient records and information with extreme care–and even more so when the information is of a very personal nature. Several other cases have also dealt with the unintentional divulgence of HIV or AIDS status of a patient. In one case, for example, a dental practice was reported for using red stickers and the word AIDS on the outside of patient folders. In another case which took place in a health-system setting, a nurse and orderly lost their jobs for discussing a patient’s HIV status within earshot of other patients.
Bottom Line—Treat your patient’s personal health information as you would wish yours to be treated, and be particularly careful when dealing with potentially delicate situations.