Fax mishap leads to HIPAA breach

Better practices 'would have prevented the error from occurring,' official says

This story has been updated. 

Faxing confidential patient health data has its own set of privacy issues, as the Oakland, Calif.-based WestCoast Children's Clinic can attest. The clinic has notified patients of a HIPAA breach after it faxed a patient's protected health information to an incorrect fax number.

PHI compromised in the April 16 incident included the patient's name, date of birth, developmental and psychological treatment history, family history, educational history, testing results and prescribed treatment, according to an April 22 letter mailed to the patient.
 
[See also: Stanford reports fourth HIPAA breach.]
 
"While any breach is too many, the scope of our breach only involved one client," wrote Kelley Gin, director of clinical services and privacy officer at WestCoast Children's Clinic, in an emailed statement to Healthcare IT News. "And we are now aware that we were not obligated to report the breach via the OAG since the breach was restricted to one patient," he added. 
 
"The error resulted from an incorrect fax number entered onto the fax cover sheet (the intended number ended in 0842, while the unintended number ended in 0843)," wrote Gin in the patient letter. "The unintended recipient notified the sender of the information that the fax was incorrectly delivered and the unintended recipient acknowledged that the fax was shredded. The fax was then correctly delivered."
 
In the letter, he explained that the clinic has reviewed company procedures surrounding the fax incident and found "practices would have prevented the error from occurring and that the employee did not fully follow the prescribed practice that includes verifying the fax number with the intended recipient and informing the recipient that the fax was sent." According to the letter, the employee will receive disciplinary actions. 
 
[See also: Get set: New HIPAA has teeth.]
 
Since the August 2009 Breach Notification rule requiring that HIPAA-covered identities provide notification following a breach involving more than 500 individuals, nearly 4 million patients in California have had their protected health information compromised.  
 
According to Office for Civil Rights Director Leon Rodriguez, some 65,000 breach reports have been filed with the OCR since 2009, resulting in more than $15 million of enforcement activity. 
 
[See also: First-of-its-kind HIPAA settlement announced, Idaho hospice group to pay.]
 
“The real purpose of breach notification is for covered entities to identify the vulnerabilities that resulted in the breach, (and) remedy those vulnerabilities in an immediate and decisive manner,” said Rodriguez, speaking at the 2013 HIMSS Annual Conference and Exhibition this past March. “And also for us to learn from those breach reports where those vulnerabilities are.”