Health Information Compliance Alert
Are Your Faxes Accidents Waiting To Happen?
PDF
Send the right messages with these simple tips. Faxing: You do it every day -- but can you really be sure the number you just punched into your machine will reach its intended recipient? Errant faxes containing patients' PHI occur much more frequently than you may think. Following these tips will ensure your staff are sending the right messages: First, make sure your organization has drawn up documented policies and processes detailing how faxes that contain protected health information are to be sent, and be sure to have your staff sign whatever policy you write. Important:
Get Your Policy In Gear'
The fax log could be as simple as a sheet of paper placed next to your fax machine that includes the number, date and time the fax was transmitted. Make certain that your fax policy describes the way in which the fax log is used, Langston advises.
Verify the number:
Langston says having a procedure that verifies a physician's (or other recipient's) current location prior to sending your fax is the best action you can take to ensure a secure transmission.But just how should you perform this verification? Call and verify the fax number personally prior to faxing any PHI, says
Sharon Budman, University of Miami privacy ombudsman. She says it's up to the person sending the fax to verify the number is correct.
Cover Yourself With A Cover Sheet
Budman says the university has a fax cover sheet that contains specific disclaimers. The cover sheet should include both receiver and sender information, contain a space for "special instructions" and include a "notice of disclosure" and a statement that the fax is intended only for the designated recipient named above.
Place Machines In Secure Locations
Prior to the creation of HIPAA, Budman says it was not uncommon to find fax machines in locations you would never think of, such as your waiting room areas. Now that's all changed, she claims. "The regulation requires that fax machines be located in secure areas now. For example, they should not be in open waiting areas or located in a hallway so that anyone could walk up to the fax machine and pull the data from it."
Train Your Personnel
Sure, faxing seems easy enough to do, but remember: One unauthorized disclosure of PHI could result in an enforceable offense for your organization.
Budman says the university makes an effort to train its entire staff -- that includes temporary employees -- how to send faxes properly. "They need to [know how to] verify the number, they need to use a cover sheet before they fax the information and they need also to have proper authorization to fax, if applicable," she notes.
The university has HIPAA liaisons in each one of its clinical departments, and each liaison is responsible for the coordination of training with the privacy office for all of their employees, says Budman.
Resolve Errors Quickly, Quietly
Accidents happen, and not addressing them quickly and efficiently is not only bad policy, but could also add salt to compliance-related wounds. If an incident occurs in which PHI is wrongfully disclosed, your sanctions policy -- and, incidentally, you're required to implement one under HIPAA -- will help to resolve staff errors or misconduct.
At risk for penalties:
"With policies and procedures that are not followed, the employee and the divisional area are certainly subject to remediation in training. HIPAA dictates that covered entities have sanction policies on how to handle workforce employees who do not follow policy or uphold the law," says Budman.''Remember:
If a wrongful disclosure does occur, it's not necessary in every situation to inform the patient of your mistake. You don't want to needlessly anger a patient if your error can be resolved with no harm done.If a disclosure of PHI is made, you want to do the best thing possible to protect the patient, but it depends on what was sent and who it was sent to. If you know to whom it was sent and you get [the document] back, get it back. If you don't know to whom it was sent, or you can't track it down and it contains sensitive medical information (e.g., HIV results), then you
may need to notify the patient, in order to mitigate the damage.Check your state law about appropriate notification procedures for certain test results, says
Barb Cluster, compliance auditor at Greene Memorial Hospital Inc. in Xenia, OH.Health Information Compliance Alert
- Privacy:
Don't Let HIPAA Breaches Trip Up Your Facility
HHS security guidance targets electronic PHI. HIPAA is on CMS' radar screen right now, so [...] - You Be The Security Expert:
Can Insurance Companies Disclose PHI?
Read the question below and decide how you would handle it before you compare it [...] - Security:
Don't Duplicate HIPAA Violations: Secure Your Digital Copiers Now
Avoid major security risks with these tips. If you're using a digital office copier in [...] - HIPAA Quiz:
Permitted Disclosure Or Privacy Violation -- What's The Difference?
HIPAA Quiz: Permitted Disclosure Or Privacy Violation -- What's The Difference? 5 scenarios help you [...] - Security Compliance:
Identity & Authenticity: A Dynamic Duo You Need To Meet
Use these tools to ensure your security rule compliance. The HIPAA security rule not only [...] - Security:
Are Your Faxes Accidents Waiting To Happen?
Send the right messages with these simple tips. Faxing: You do it every day -- [...] - Reader Questions:
Do We Account For Audit Logs?
Question: We have begun auditing our computer systems. Through an exam of the audit logs, [...] - Reader Questions:
Who Signs Whose BAA?
Question: We have decided to use a clearinghouse for our transactions. The company we've chosen [...] - Security News:
Identity Theft Task Force Implements Protections
Learn what the government is doing to keep your private information safe. A special task [...]