Who's At Fault In Faxing Confidential Data To The Wrong Place?

from the blame-the-all-thumb-faxers dept

While losing backup tapes may not be as big a risk as other types of data loss, what do you do when doctors are simply faxing tons of confidential patient data to the wrong fax machine? A small company that has a fax number one digit off from a major insurer’s fax number has been dealing with that issue. They were notifying the mis-faxers, but that’s become a full-time job that they can’t afford any more. They offered to sell the number to the insurer, setting an amount that would cover their own ability to publicize a new fax number, but the insurer isn’t interested, saying (accurately) that it isn’t really their fault this is happening. That’s fundamentally true, as its the typo-dialing doctors who are the problem — but it doesn’t solve the problem, which is that plenty of confidential info is rolling off the fax machine of a company that shouldn’t be receiving it.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Who's At Fault In Faxing Confidential Data To The Wrong Place?”

Subscribe: RSS Leave a comment
Don Gray says:

They need to make a couple of calls

Take a couple of the faxes and call the people whose information they have received.

Explain to them that they really didn’t want to receive their private health information and that in fact them receiving the information was a violation of the HIPAA.

Tell them that the insurance company has chosen not to prevent the situation, event though they could. And that their doctor doesn’t pay enough attention to detail to dial the right fax number.

Explain to them that if they care about their privacy they should contact the Chief Privacy Officer of the insurance company, as well as the doctor’s office / hospital and discuss it with them.

I’m sure the faxes would quickly stop.

ehrichweiss says:

Re: They need to make a couple of calls

I used to have a security awareness company setup that dealt with this exact type of issue and you outline a very good method of doing so.

Of course I’d have the person, whose information was so haphazardly thrown around, take this info to an attorney and place a lawsuit accordingly for HIPAA violations.

We’ve already seen a medical billing company take a “network administrator”(I personally think the idiot rode the short bus to school) to court over directly connecting the company’s machines to the internet without any firewall or security checks beyond a Belkin(tm) router. I’m guessing you know how this turned out…25,000 people’s info was suddenly not-so-private.

And to think that some of my friends say I’m too paranoid.

Julie Pierce says:

Re: They need to make a couple of calls

We’ve been receiving fax calls on our ‘toll free” voice line for two months now. When diverted to our fax machine we get pages of confidential data including name address employment details, social security numbers, medical conditions, insurance policy numbers etc… Our number was given out “by mistake” to healthcare providers and at one point we were receiving 50 calls AN HOUR!! We were told it would be sorted within days – but it is still persisting. We are a small business and cannot afford the time to answer the phone (and we’re paying for the calls!) But we have our hands tied by a confidentiality agreement we had to sign in order to have our costs reimbursed….on reflection we’ve been taken for a ride but because of fear of legal reprisal we cannot report this company to make the faxes stop.

Ross says:

Re: No Subject Given

I had a fax number one off from a vet office. There was one laboratory that would (at least once weekly) send me the results of blood tests and other things for different pets. At first I tried to sort it out. I called both places and spoke to the right people – but that didn’t work.

Finally I started writing comments on the form like “i’m only a software engineer but it doesn’t look good for fluffy. I think we will have to put him down.” and fax it to both parties.

Eventually it did stop – not because they fixed the problem, but because I switched to Vonage and had to change my fax number.

ZOMG CENSORED (user link) says:

Hmm... Local news...

I read this a few days ago, and it seems that the insurance company just refuses to do anything about something that is obviously their problem. Being small-town folks they refuse to just let the faxes pile up. So therein lies the dilemma, either this small company has to act like jerks or the big company has to get their ass in gear and fix the problem.

Not gonna happen, I would honestly just start writing the insurance company and prodding them into getting their act together.

princessfrozen (user link) says:

it isn't uncommon

I used to work at a major big box retailer (think top 5 in the country) in the NOC. This sort of thing used to go on quite frequently, with stores faxing data to private residences that were inteded to go to vendors and vice versa. When the resident was bothered enough to call corporate HQ, their calls got routed to the NOC. These issues were not high priority and getting them resolved were a “ehhh do it if you’re bored and have nothing to do” type of thing. Only when people threatened to sue were the issues escalated.

Kyle Hall says:

HIPAA Penalty

I have worked in the health insurance industry for nearly 20 years on both the insurance side and the medical billing side. HIPAA is a pain in the butt, but at the same time it is there to protect the privacy of all of us. Some companies take HIPAA very seriously, and well should, because the consequence of violation is serious. The companies in the scenario above should be reported to CMS (Centers for Medicare and Medicaid Services) and/or OIG (Office of Inspector General). If they won’t be responsible for their breech of privacy, there is something out there that, in a not so gentle way, will remind them.

Alex says:

HIPAA and fax control

A couple of points here.

I’m with a company which supplies fax servers to a number of hospitals, mostly in North America, and we have done so for many years.

HIPAA has no _clear_ statement on faxing, due to it not being a clear electronic-to-electronic format by its definitions. What’s used in its place is the recomendation of HIMSS for handling faxes, which amounts to the “don’t read if it’s not you” statement, along with additional info (hosptial name, sending agent, etc). And realize that even if HIPAA did have a clear standard, the requirements are such that all one has to show is that (a) rules are in place at the facility and (b) controls are in place to make sure the rules are followed. The point being the HIPAA compliance is more up to the hospital than the legislation. (I could go on but don’t want to drag this out.)

If the doc’s office is sending from a fax machine I’m not sure what you can do other than hand slapping. Otherwise speed dial is an option, as is controls on the PBX side, although you’ll probably find that just whining them into compliance might be for the best. If, however, they’re sending the job from the HIS through a fax or message server, then various controls are available, including using fixed phone book entries, dialing codes or even CSID checking.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...