(Mis)Uses of Technology

by Mike Masnick

Who's At Fault In Faxing Confidential Data To The Wrong Place?

from the blame-the-all-thumb-faxers dept

While losing backup tapes may not be as big a risk as other types of data loss, what do you do when doctors are simply faxing tons of confidential patient data to the wrong fax machine? A small company that has a fax number one digit off from a major insurer's fax number has been dealing with that issue. They were notifying the mis-faxers, but that's become a full-time job that they can't afford any more. They offered to sell the number to the insurer, setting an amount that would cover their own ability to publicize a new fax number, but the insurer isn't interested, saying (accurately) that it isn't really their fault this is happening. That's fundamentally true, as its the typo-dialing doctors who are the problem -- but it doesn't solve the problem, which is that plenty of confidential info is rolling off the fax machine of a company that shouldn't be receiving it.

Reader Comments (rss)

(Flattened / Threaded)

  1. identicon
    RMartin, Feb 7th, 2006 @ 11:28am

    Me, too.

    We are a medical software vendor, and our fax number is in nearly all our accounts fax quick-dialers. We get at least one fax a day from clinics who THINK they're sending to someone else. That gets a little much sometimes when we have to waste a phone call telling them what they've done...

    reply to this | link to this | view in thread ]

  2. identicon
    Don Gray, Feb 7th, 2006 @ 11:40am

    They need to make a couple of calls

    Take a couple of the faxes and call the people whose information they have received.

    Explain to them that they really didn't want to receive their private health information and that in fact them receiving the information was a violation of the HIPAA.

    Tell them that the insurance company has chosen not to prevent the situation, event though they could. And that their doctor doesn't pay enough attention to detail to dial the right fax number.

    Explain to them that if they care about their privacy they should contact the Chief Privacy Officer of the insurance company, as well as the doctor's office / hospital and discuss it with them.

    I'm sure the faxes would quickly stop.

    reply to this | link to this | view in thread ]

  3. identicon
    Joel, Feb 7th, 2006 @ 11:54am

    No Subject Given

    I don't know that I'd clear the insurer so quickly. With that many faxes showing up at this particular number I'd bet the insurer mis-printed the number in a few places.

    reply to this | link to this | view in thread ]

  4. identicon
    Ross, Feb 7th, 2006 @ 12:03pm

    Re: No Subject Given

    I had a fax number one off from a vet office. There was one laboratory that would (at least once weekly) send me the results of blood tests and other things for different pets. At first I tried to sort it out. I called both places and spoke to the right people - but that didn't work.

    Finally I started writing comments on the form like "i'm only a software engineer but it doesn't look good for fluffy. I think we will have to put him down." and fax it to both parties.

    Eventually it did stop - not because they fixed the problem, but because I switched to Vonage and had to change my fax number.

    reply to this | link to this | view in thread ]

  5. identicon
    ZOMG CENSORED, Feb 7th, 2006 @ 12:07pm

    Hmm... Local news...

    I read this a few days ago, and it seems that the insurance company just refuses to do anything about something that is obviously their problem. Being small-town folks they refuse to just let the faxes pile up. So therein lies the dilemma, either this small company has to act like jerks or the big company has to get their ass in gear and fix the problem.

    Not gonna happen, I would honestly just start writing the insurance company and prodding them into getting their act together.

    reply to this | link to this | view in thread ]

  6. identicon
    Wizard Prang, Feb 7th, 2006 @ 12:10pm

    No Subject Given

    Unfortunately most parties involved in this kind of thing believe that if they stick a confidentiality blurb on the fax somewhere they are covered.

    reply to this | link to this | view in thread ]

  7. identicon
    Anonymous Coward, Feb 7th, 2006 @ 12:34pm

    MMM... the future

    Hospitals all around the world are beginning to use instant messaging programs with scanner plug ins over faxing... Fax has become outdated, obsolete, and will soon be replaced :) No worries mates :)

    reply to this | link to this | view in thread ]

  8. identicon
    Rikko, Feb 7th, 2006 @ 12:58pm

    Re: Me, too.

    Same here.. I get 4-5 faxes a year with people's prescriptions on them. Thus far we've always called the pharmacy and they're been grateful, but this is really stupid.

    reply to this | link to this | view in thread ]

  9. identicon
    princessfrozen, Feb 7th, 2006 @ 1:18pm

    it isn't uncommon

    I used to work at a major big box retailer (think top 5 in the country) in the NOC. This sort of thing used to go on quite frequently, with stores faxing data to private residences that were inteded to go to vendors and vice versa. When the resident was bothered enough to call corporate HQ, their calls got routed to the NOC. These issues were not high priority and getting them resolved were a "ehhh do it if you're bored and have nothing to do" type of thing. Only when people threatened to sue were the issues escalated.

    reply to this | link to this | view in thread ]

  10. identicon
    Kyle Hall, Feb 7th, 2006 @ 1:21pm

    HIPAA Penalty

    I have worked in the health insurance industry for nearly 20 years on both the insurance side and the medical billing side. HIPAA is a pain in the butt, but at the same time it is there to protect the privacy of all of us. Some companies take HIPAA very seriously, and well should, because the consequence of violation is serious. The companies in the scenario above should be reported to CMS (Centers for Medicare and Medicaid Services) and/or OIG (Office of Inspector General). If they won't be responsible for their breech of privacy, there is something out there that, in a not so gentle way, will remind them.

    reply to this | link to this | view in thread ]

  11. identicon
    ehrichweiss, Feb 7th, 2006 @ 1:26pm

    Re: They need to make a couple of calls

    I used to have a security awareness company setup that dealt with this exact type of issue and you outline a very good method of doing so.

    Of course I'd have the person, whose information was so haphazardly thrown around, take this info to an attorney and place a lawsuit accordingly for HIPAA violations.

    We've already seen a medical billing company take a "network administrator"(I personally think the idiot rode the short bus to school) to court over directly connecting the company's machines to the internet without any firewall or security checks beyond a Belkin(tm) router. I'm guessing you know how this turned out...25,000 people's info was suddenly not-so-private.

    And to think that some of my friends say I'm too paranoid.

    reply to this | link to this | view in thread ]

  12. identicon
    Anonymous Coward, Feb 7th, 2006 @ 2:09pm

    No Subject Given

    With the way things are going, its the fax machines fault.

    reply to this | link to this | view in thread ]

  13. identicon
    Heironymous Cowherd, Feb 7th, 2006 @ 2:45pm

    Re: Me, too.

    Isn't there a junk fax law that would be relevant here? In addition to everything else, the sending Dr. office is wasting the paper and toner of the small company that really doesn't want the faxes.

    reply to this | link to this | view in thread ]

  14. identicon
    Alex, Feb 7th, 2006 @ 2:46pm

    HIPAA and fax control

    A couple of points here.

    I'm with a company which supplies fax servers to a number of hospitals, mostly in North America, and we have done so for many years.

    HIPAA has no _clear_ statement on faxing, due to it not being a clear electronic-to-electronic format by its definitions. What's used in its place is the recomendation of HIMSS for handling faxes, which amounts to the "don't read if it's not you" statement, along with additional info (hosptial name, sending agent, etc). And realize that even if HIPAA did have a clear standard, the requirements are such that all one has to show is that (a) rules are in place at the facility and (b) controls are in place to make sure the rules are followed. The point being the HIPAA compliance is more up to the hospital than the legislation. (I could go on but don't want to drag this out.)

    If the doc's office is sending from a fax machine I'm not sure what you can do other than hand slapping. Otherwise speed dial is an option, as is controls on the PBX side, although you'll probably find that just whining them into compliance might be for the best. If, however, they're sending the job from the HIS through a fax or message server, then various controls are available, including using fixed phone book entries, dialing codes or even CSID checking.

    reply to this | link to this | view in thread ]

  15. identicon
    Anonymous Coward, Feb 7th, 2006 @ 3:03pm

    No Subject Given

    We keep getting faxes but don't even have a fax machine. It's rally annoying when it happens during the night.

    reply to this | link to this | view in thread ]

  16. identicon
    nonam9, Feb 7th, 2006 @ 10:11pm

    I would send the fax back 10 x or 100 x

    Most phone calls are included in a plan now.You need for it to be more of an inconvinence to them then you. Simply send it right back to them many times, this will tie up their machines and paper and people and eventually they will stop it.

    reply to this | link to this | view in thread ]

  17. identicon
    Major Burns, Feb 8th, 2006 @ 3:56am

    Re: I would send the fax back 10 x or 100 x

    Being notified of violating federal patient confidentiality laws works too.

    reply to this | link to this | view in thread ]

  18. identicon
    m carmen rosell, Mar 13th, 2006 @ 12:26pm


    Have a question. I sent important info. to a wrong fax number how can i get my fax back? Please, help me its very important.
    thank you for your time and understanding in this email.

    reply to this | link to this | view in thread ]

  19. identicon
    Julie Pierce, Apr 6th, 2006 @ 1:10pm

    Re: They need to make a couple of calls

    We've been receiving fax calls on our 'toll free" voice line for two months now. When diverted to our fax machine we get pages of confidential data including name address employment details, social security numbers, medical conditions, insurance policy numbers etc... Our number was given out "by mistake" to healthcare providers and at one point we were receiving 50 calls AN HOUR!! We were told it would be sorted within days - but it is still persisting. We are a small business and cannot afford the time to answer the phone (and we're paying for the calls!) But we have our hands tied by a confidentiality agreement we had to sign in order to have our costs reimbursed....on reflection we've been taken for a ride but because of fear of legal reprisal we cannot report this company to make the faxes stop.

    reply to this | link to this | view in thread ]

  20. identicon
    Myrt, Nov 23rd, 2009 @ 7:33pm

    Re: Wrong fax number

    I sent very important information personal to the wrong fax number.. How can i get the information or where it is?
    Thank you topjob

    reply to this | link to this | view in thread ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.