Q&A: Inadvertent disclosure via email

Q: If a patient writes his or her email address in an illegible fashion and the provider misreads it and then inadvertently sends appointment reminders and other communication to the wrong email address, is the provider at fault? What steps can be taken to avoid such a situation?

A: There’s blame on both sides. The patient did not write legibly, and the provider did not verify the email address before sending the appointment reminder. You do need to conduct a four-factor risk assessment to determine if this is a reportable breach, because sending the reminder to the wrong patient is considered an unauthorized disclosure of unsecure PHI. The way to prevent such occurrences is to ask providers and associated healthcare professionals to verify the email address if they cannot easily read the patient’s writing. This can be done by reaching out to the patient for verification. To better prevent these occurrences, it is a good idea to verify the spelling of a patient’s email address when the patient is filling out the paperwork.

Editor’s note: Chris Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.