Q&A: Misdirected faxes

Q: We are having a problem with misdirected faxes caused by the phone company. Our electronic health record (EHR) auto-faxes ancillary reports and transcribed documents to physician offices whose fax numbers are set up in our system. Recently, I was contacted by two businesses who received misdirected faxes on more than one occasion. These faxes should have gone to one of our physicians. The fax number for these businesses is one digit off the physician office's fax number.

Our modem dialed the correct fax number but a switch in the phone company's system misdirected some pages of the fax to a wrong number. Our IT director/security officer has contacted the phone company numerous times to no avail. We are considering legal action against the phone company.

My question is: Who is in violation of HIPAA? Are we in violation even though our modem is dialing the correct number? Is the physician's office in violation because the fax is being sent to them? Is the phone company in violation because its equipment is causing the problem, even though it is not a CE?

A: Your organization would probably be considered to be in violation because your PHI is being misdirected. If the problem involves only one physician, you may need to stop auto-faxing to that office until the problem can be resolved. If you believe the problem lies with the phone company's equipment, a letter from your attorney may get the phone company to take this seriously.

This question was answered by Mary D. Brandt, MBA, RHIA, CHE, CHPS for Briefings on HIPAA. Brandt is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also an advisory board member for. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Nicole Votta at nvotta@hcpro.com.