Kathryn Ellis received numerous personal medical records and prescriptions over her fax machine. Was
Kathryn Ellis a doctor? No. A Pharmacist? No. She is simply an individual who, upon checking her home fax machine, came across medical records that contained highly sensitive data including: a female patient’s name, social security number, birthday, prescription drug and personal medical and family histories. After notifying the doctor’s office of the fax number error, she continued to receive faxes – until she reported the incidents to her Senator. Could this happen in your health care practice?
For a while, no one was sure if faxes were covered under the proposed privacy regulation. Now, a final ruling makes it clear. Faxes are covered just like every other form of communication containing protected information. Once they know protected information is involved, doctors and their staff must do everything possible to protect it.
Faxing has confidentiality risks you should be aware of. The most obvious of these is that information unintentionally can be sent to the wrong phone number. Outdated programmed phone numbers, incorrectly typed fax numbers and erroneously entered fax numbers are all ways that medical records can arrive at another location.
Protecting information goes beyond your fax machine, too. If medical information is faxed to an unsecured machine, people who are not authorized to see the information may have access to it. Staff should get in the practice of phoning ahead to notify the recipient that s(he) is about to receive a fax. Consider putting your office fax machine in an area where only those authorized to see medical information can access it.
The following 20 steps may be adapted for use as part of your practice’s policies and procedures related to the transmission of personal health information by fax:
- Designated Fax – Securing a designated fax machine for transmitting and receiving faxes containing protected information shows you have implemented enhanced procedures for handling personal health information. This also can alleviate clerical errors.
- Restrict Access – As mentioned earlier, locating a fax machine in an area with either restricted access or lower-traffic may limit unauthorized access to personal records.
- Limit Faxing – Consider implementing the practice of faxing only in urgent or non-routine incidences when mail or other delivery is not feasible.
- Secure Authorization – Ensure you’ve received proper authorization, as required by law, to transmit or receive medical information via fax.
- Be Selective – If possible, prohibit faxing sensitive health information regarding: mental health, chemical dependency, sexually transmitted diseases, HIV or any other highly personal information.
- Schedule Faxes – When sending a fax, call the recipient to notify him/her so s(he) can personally retrieve it. If you are expecting a fax containing personal health information, ask the sender to call you so you may promptly retrieve the fax upon arrival.
- Quickly Process Incoming Faxes – In situations where a high volume of faxes containing personal health information are received, designate employees authorized to handle personal health information to empty fax trays and disseminate their contents to the appropriate parties. Specify set intervals for this activity to take place (e.g., every 15 or 30 minutes).
- Secure Documents – As with other personal health information that arrives in the mail or by others means, ensure faxes containing personal health information are placed in a secure/confidential place when they are delivered, and not (for example) left in an in-box that is in full view of passersby.
- Verify Phone Numbers – Confirm the accuracy of fax numbers (and security of recipient machines) by calling the intended recipients to double-check phone numbers and verify the security of fax machines. Notify the receiving office that the fax is on the way, and request verification of its receipt. Do not rely on fax numbers listed in directories and provided by persons other than the recipient.
- Establish Procedures – In instances where faxes are regularly sent to the same recipients, program these fax numbers into your machine’s speed-dial memory. Institute a set procedure whereby programmed numbers are tested at regular intervals (e.g., weekly or monthly).
- Confirm Fax Transmittals – Make sure your fax machine prints a confirmation for each outgoing transmission and require machine operators to (a) make sure the intended destination matches the number on the confirmation, and (b) staple the confirmation to the document that was faxed.
- Take Appropriate Action – Ensure improperly faxed documents are either immediately returned or destroyed by the recipient. Document that the fax was misrouted, and take (as well as document) steps to prevent reoccurring errors.
- Develop a System – Develop a well-organized system to maintain (for specified periods of time) personal health information that is faxed. Document the time and date of the transmittal or re-transmittal, the intended recipient, its contents, and the fax number at which it was confirmed to have been received.
- Require Secured Fax Machines – Include in your business associate agreements or two-way covered entity agreements provisions requiring organizations that will receive your faxes to place their fax machines in secured areas.
- Secure and Shred – Ensure all documents containing personal health information are handled and stored in a secure manner, and shredded when they have outlived their usefulness.
- Train and Retrain – For new employees, provide immediate training of your organization’s policies and procedures for using the fax machine to transmit and receive personal health information, and periodically retrain existing employees.
- Develop a Confidential Fax Coversheet – A confidential fax coversheet may provide extra protection for personal health information while demonstrating your due diligence in this area. The headline of the coversheet should state in large, bold type, “Confidential Health Information Enclosed.” Beneath this headline, include a statement such as: Health care information is personal and sensitive information related to an individual’s health care. It is being faxed to you after appropriate authorization from the patient or under circumstances that don’t require patient authorization. You, the recipient, are obligated to handle and maintain it in a safe, secure and confidential manner. Re-disclosure without additional patient consent or as permitted by law is prohibited. Unauthorized re-disclosure or failure to maintain confidentiality could subject you to penalties described in federal and state law.
- Provide a Warning – At the bottom of the fax coversheet, include a warning such as: IMPORTANT WARNING: This message is intended for use by the person or entity to whom it is addressed and may contain information that is privileged and confidential, the disclosure of which is governed by applicable law. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this information is STRICTLY PROHIBITED. If you have received this message in error, please notify us immediately and destroy the related message.
- Include Coversheet Basics – In addition to the warnings described in numbers 17 and 18 above, make sure the fax coversheet contains standard information including:
- Date and time of the fax;
- Sender’s name, address, telephone number and fax number;
- The authorized recipient’s name, telephone and fax number;
- Number of pages transmitted; and
- Information regarding verification of receipt of the fax.
- Document, Document, Document – Putting all of the above practices in place works as evidence of your efforts to safeguard protected health information.
As with any compliance issue, documenting the steps you’ve taken to abide by federal guidelines is paramount. These steps are provided to assist you in developing your practice’s procedures that one day may serve as evidence of your due diligence. If you have any questions regarding any of these steps, please give us a call.