Who's At Fault In Faxing Confidential Data To The Wrong Place?
from the blame-the-all-thumb-faxers dept
While losing backup tapes may not be as big a risk as other types of data loss, what do you do when doctors are simply faxing tons of confidential patient data to the wrong fax machine? A small company that has a fax number one digit off from a major insurer’s fax number has been dealing with that issue. They were notifying the mis-faxers, but that’s become a full-time job that they can’t afford any more. They offered to sell the number to the insurer, setting an amount that would cover their own ability to publicize a new fax number, but the insurer isn’t interested, saying (accurately) that it isn’t really their fault this is happening. That’s fundamentally true, as its the typo-dialing doctors who are the problem — but it doesn’t solve the problem, which is that plenty of confidential info is rolling off the fax machine of a company that shouldn’t be receiving it.
Comments on “Who's At Fault In Faxing Confidential Data To The Wrong Place?”
Me, too.
We are a medical software vendor, and our fax number is in nearly all our accounts fax quick-dialers. We get at least one fax a day from clinics who THINK they’re sending to someone else. That gets a little much sometimes when we have to waste a phone call telling them what they’ve done…
Re: Me, too.
Same here.. I get 4-5 faxes a year with people’s prescriptions on them. Thus far we’ve always called the pharmacy and they’re been grateful, but this is really stupid.
Re: Me, too.
Isn’t there a junk fax law that would be relevant here? In addition to everything else, the sending Dr. office is wasting the paper and toner of the small company that really doesn’t want the faxes.
They need to make a couple of calls
Take a couple of the faxes and call the people whose information they have received.
Explain to them that they really didn’t want to receive their private health information and that in fact them receiving the information was a violation of the HIPAA.
Tell them that the insurance company has chosen not to prevent the situation, event though they could. And that their doctor doesn’t pay enough attention to detail to dial the right fax number.
Explain to them that if they care about their privacy they should contact the Chief Privacy Officer of the insurance company, as well as the doctor’s office / hospital and discuss it with them.
I’m sure the faxes would quickly stop.
Re: They need to make a couple of calls
I used to have a security awareness company setup that dealt with this exact type of issue and you outline a very good method of doing so.
Of course I’d have the person, whose information was so haphazardly thrown around, take this info to an attorney and place a lawsuit accordingly for HIPAA violations.
We’ve already seen a medical billing company take a “network administrator”(I personally think the idiot rode the short bus to school) to court over directly connecting the company’s machines to the internet without any firewall or security checks beyond a Belkin(tm) router. I’m guessing you know how this turned out…25,000 people’s info was suddenly not-so-private.
And to think that some of my friends say I’m too paranoid.
Re: They need to make a couple of calls
We’ve been receiving fax calls on our ‘toll free” voice line for two months now. When diverted to our fax machine we get pages of confidential data including name address employment details, social security numbers, medical conditions, insurance policy numbers etc… Our number was given out “by mistake” to healthcare providers and at one point we were receiving 50 calls AN HOUR!! We were told it would be sorted within days – but it is still persisting. We are a small business and cannot afford the time to answer the phone (and we’re paying for the calls!) But we have our hands tied by a confidentiality agreement we had to sign in order to have our costs reimbursed….on reflection we’ve been taken for a ride but because of fear of legal reprisal we cannot report this company to make the faxes stop.
No Subject Given
I don’t know that I’d clear the insurer so quickly. With that many faxes showing up at this particular number I’d bet the insurer mis-printed the number in a few places.
Re: No Subject Given
I had a fax number one off from a vet office. There was one laboratory that would (at least once weekly) send me the results of blood tests and other things for different pets. At first I tried to sort it out. I called both places and spoke to the right people – but that didn’t work.
Finally I started writing comments on the form like “i’m only a software engineer but it doesn’t look good for fluffy. I think we will have to put him down.” and fax it to both parties.
Eventually it did stop – not because they fixed the problem, but because I switched to Vonage and had to change my fax number.
Hmm... Local news...
I read this a few days ago, and it seems that the insurance company just refuses to do anything about something that is obviously their problem. Being small-town folks they refuse to just let the faxes pile up. So therein lies the dilemma, either this small company has to act like jerks or the big company has to get their ass in gear and fix the problem.
Not gonna happen, I would honestly just start writing the insurance company and prodding them into getting their act together.
No Subject Given
Unfortunately most parties involved in this kind of thing believe that if they stick a confidentiality blurb on the fax somewhere they are covered.
MMM... the future
Hospitals all around the world are beginning to use instant messaging programs with scanner plug ins over faxing… Fax has become outdated, obsolete, and will soon be replaced 🙂 No worries mates 🙂
it isn't uncommon
I used to work at a major big box retailer (think top 5 in the country) in the NOC. This sort of thing used to go on quite frequently, with stores faxing data to private residences that were inteded to go to vendors and vice versa. When the resident was bothered enough to call corporate HQ, their calls got routed to the NOC. These issues were not high priority and getting them resolved were a “ehhh do it if you’re bored and have nothing to do” type of thing. Only when people threatened to sue were the issues escalated.
HIPAA Penalty
I have worked in the health insurance industry for nearly 20 years on both the insurance side and the medical billing side. HIPAA is a pain in the butt, but at the same time it is there to protect the privacy of all of us. Some companies take HIPAA very seriously, and well should, because the consequence of violation is serious. The companies in the scenario above should be reported to CMS (Centers for Medicare and Medicaid Services) and/or OIG (Office of Inspector General). If they won’t be responsible for their breech of privacy, there is something out there that, in a not so gentle way, will remind them.
No Subject Given
With the way things are going, its the fax machines fault.
HIPAA and fax control
A couple of points here.
I’m with a company which supplies fax servers to a number of hospitals, mostly in North America, and we have done so for many years.
HIPAA has no _clear_ statement on faxing, due to it not being a clear electronic-to-electronic format by its definitions. What’s used in its place is the recomendation of HIMSS for handling faxes, which amounts to the “don’t read if it’s not you” statement, along with additional info (hosptial name, sending agent, etc). And realize that even if HIPAA did have a clear standard, the requirements are such that all one has to show is that (a) rules are in place at the facility and (b) controls are in place to make sure the rules are followed. The point being the HIPAA compliance is more up to the hospital than the legislation. (I could go on but don’t want to drag this out.)
If the doc’s office is sending from a fax machine I’m not sure what you can do other than hand slapping. Otherwise speed dial is an option, as is controls on the PBX side, although you’ll probably find that just whining them into compliance might be for the best. If, however, they’re sending the job from the HIS through a fax or message server, then various controls are available, including using fixed phone book entries, dialing codes or even CSID checking.
No Subject Given
We keep getting faxes but don’t even have a fax machine. It’s rally annoying when it happens during the night.
I would send the fax back 10 x or 100 x
Most phone calls are included in a plan now.You need for it to be more of an inconvinence to them then you. Simply send it right back to them many times, this will tie up their machines and paper and people and eventually they will stop it.
Re: I would send the fax back 10 x or 100 x
Being notified of violating federal patient confidentiality laws works too.
information
Hello,
Have a question. I sent important info. to a wrong fax number how can i get my fax back? Please, help me its very important.
thank you for your time and understanding in this email.
sincerely,
mcr
Re: Wrong fax number
I sent very important information personal to the wrong fax number.. How can i get the information or where it is?
Thank you topjob