A New York man filed a $2.5 million negligence suit against a hospital after it “carelessly faxed his medical records to his office mailroom,” revealing that he was living with HIV. The New York Daily News’ report. 

The man specifically asked the provider to mail the documents to a post office box, instead, the hospital faxed them to his work place where the files were circulated before reaching him. The hospital paid a $387,000 fine to HHS, but refuses to settle this private action.

I never recommend traditional faxing when transmitting any protected health information (PHI). Use eFax options instead, many of which are certified HIPAA-compliant. When signing up with a HIPAA compliant e-faxing service ask for a Business Associate Agreement, which can often be downloaded from their websites. HIPAA-secure eFaxing works like emails and you pick up a fax by connecting to a secure web site. Similarly, you send e-faxes from your email to a special HIPAA-compliant email address.

If you still prefer traditional faxing, follow HIPAA guidelines and go the extra mile to ensure secure receipt and delivery. HHS, for example, recommends preprogramming frequently used numbers to avoid misdirecting the information.

If using traditional faxing, make sure that all personnel knows proper procedures when transmitting the PHI, such as:

  • attaching a cover sheet identifying the sender and recipient. The cover page should state that the fax may contain information that is confidential or privileged. It should also state that: “If you are not the intended recipient, or you are not the employee responsible for delivering the facsimile for the intended recipient, you are hereby notified that any dissemination, distribution or copying of this facsimile is strictly prohibited. If you have received this facsimile in error, please notify the sender immediately.”
  • confirming that the receiving fax machine is in a secure area or that the intended recipient is waiting by the fax machine to receive the transmission.
  • verifying the fax confirmation sheet and retaining it with the transmitted records.

And remember, sensitive PHI – such as HIV results – should never be sent by fax!

For further Administrative Data Standards, see Code of Federal Regulations.