Change | Moving Hopkins Forward Johns Hopkins Medicine
December 2012
Top Story
In Brief
Conduct Matters
In the News
Innovation
Epic at Johns Hopkins Medicine
Basics

Conduct Matters

Patient Privacy Reminders

Privacy Rule allows patients' medical information to be faxed to their workplaces, with certain stipulations.

Johns Hopkins recently received an investigation letter from the Office for Civil Rights, the HIPAA enforcement agency, in response to a complaint it had received from a patient. The complaint said that a Johns Hopkins department had faxed a medical report to the person's place of work, where it was available for others to see.

OCR closed the complaint but provided "technical assistance." It also indicated its expectation that Johns Hopkins would "share" the following information with its workforce. Although a physician's office or health plan may use mail or fax to send patient medical information, it's important to review how the rules work.

Where the Privacy Rule allows covered health care providers, health plans, or health care clearinghouses to share protected health information with another organization or with the individual, they may use a variety of means to deliver the information, as long as they use reasonable safeguards when doing so. When the communications are in writing, the patient information may be sent by mail, fax, or other means of reliable delivery.

The Privacy Rule requires that covered entities apply reasonable safeguards when making these communications to protect the patient information from inappropriate use or disclosure to unauthorized persons. These safeguards vary depending on the mode of communication used. For example, when mailing patient information, reasonable safeguards include checking to see that the name and address of the recipient are correct and current and that only the minimum amount of patient information is showing on the outside of the envelope to ensure proper delivery to the intended recipient.

When faxing protected health information to a telephone number that is not regularly used, a reasonable safeguard would include first confirming the fax number with the intended recipient. Similarly, a covered entity may pre­program frequently used numbers directly into the fax machine to avoid misdirecting the information to someone who is not the intended recipient.

The following checklists provide guidance on reasonable safeguards that a covered health care provider, health plan, or health care clearinghouse may put in place to protect patient information from being impermissibly disclosed during mailing and faxing.

MAILING CHECKLIST


Carefully check name and address of intended recipient. Many names are similar; make sure you have the correct name for the intended recipient on the envelope. Make sure the address on the envelope matches the correct address of the intended recipient.

Carefully check the contents of the envelope before sealing. Make sure the contents may be permissibly disclosed to the intended recipient or properly relate to the individual. Check all pages to make sure records or material related to other individuals are not mistakenly included in the envelope.

Check the information showing on the outside of the envelope or through the address window. Make sure identifying information that is not necessary to ensure proper delivery is not disclosed.

When doing mass mailings, do a test run to ensure the system is properly performing and check at least a sample of the mailings for the accuracy of name and address of the intended recipients and the correct contents, as indicated above, before sending.

Have policies and procedures in place to safeguard protected health information that is mailed, including processes to act promptly on (1) name and address changes to ensure corrections are made in all the relevant records; and (2) reports of misdirected mail to identify the cause and take steps to prevent future incidents.

Train staff on the mailing procedures that your organization has put in place to safeguard protected health information during mailing. Update the training periodically and be sure to train new staff.

 

FAXING CHECKLIST

Carefully check the fax number to make sure you have the correct number for the intended recipient. When manually entering the number, check to see that it has been entered correctly before sending.

Confirm fax number with the intended recipient when faxing to this party for the first time or if the fax number is not regularly used.

Program regularly used numbers into fax machines. Check to make sure you are selecting the preprogrammed number for the correct party before sending.

Update fax numbers promptly upon receipt of notification of correction or change. Have procedures for deleting outdated or unused numbers which are preprogrammed into the fax machine.

Locate fax machines in areas where access can be monitored and controlled and avoid leaving patient information on fax machines after sending.

Have policies and procedures in place to safeguard protected health information that is faxed, including processes to act promptly on (1) changes in fax numbers to ensure corrections are made in all the relevant records; and (2) reports of a misdirected fax to identify the cause and take steps to prevent future incidents, including revising the organization's policies and procedures.

Train staff on the policies and procedures for the proper use of fax machines that your organization has put in place to safeguard protected health information during faxing. Update the training periodically and be sure to train new staff.

 

 

 
Please Write | Archived Issues
Johns Hopkins Medicine
© The Johns Hopkins University