HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



Fax to wrong number

Email This Post Print This Post

If faxed information containing PHI is sent to an incorrect fax number, and it is realized that the wrong entity received the fax, does the unintentional notification need to be recorded on the patient’s disclosure record?

Categories : HIPAA Q&A


  1. Tom Dumez says:

    Absolutely it does. The reason is that it is unauthorized disclosure. That is why I advice to not only to confirm a fax number prior to faxing, but to determine if a different method of getting the information where it needs to go is a better option. How often do you call a phone number and the wonderful sounds on the other end of the line are that of a fax? Fax numbers can frequently change, so it only makes sense that you would confirm that the number still belongs to the entity that you are contacting. And then there is the issue of ensuring that the correct number has been dialed.

  2. Lloyd says:

    I agree. In addition, this could be considered a privacy breach which requires that the patient be notified that his or her Protected Health Information was impermissibly disclosed to unknown sources. It may be embarassing but bad news does not get better with time. This is why verifying who you’re faxing, if necessary, is critical every time.

  3. Jack says:

    Something to think about is that in many cases these faxes are being sent out by some type of program module that has fax numbers preprogrammed. In most cases the number is programmed and forgotten. Someone should also try to verify these numbers. There can be quite a few. Also, while we are on the subject of faxing, I beleive that every fax should have a confidentiality statement resembling the statement that are put at the end of e-mails.

  4. Vicki J. says:

    On top of the other great comments made on this issue, it is note worthy to mention the impending HIPAA audits. Tracking a breach, both for HIPAA Auditing and Accounting of Disclosure logging so you are able to produce an accurate list of releases upon request is becoming more than just a good idea – we are at the threshold of regulation.

  5. Hernan Serrano says:

    misdirected fax usually constitutes an impermissible disclosure and would require disclosure accounting. As to whether it constitutes a breach or not under HITECH, you must first determine if one of the three exceptions applies. We can’t comment because we don’t know if the fax went to a local Gas Station or another provider in your hospital, or Organized Health Care Arrangement. For example, a misdirected fax to another authorized individual at the same covered entity, if not further disclosed, would not constitute a breach. However, if it went to the local Gas Station, then yes, it is a breach as non of the exceptions would apply.

  6. Chrissy M says:

    It may not be that simple. The key word that you used was “entity”. If you sent the information to another covered entity and they can attest that this information will not be used, further disclosed and it has been destroyed (per HITECH requirements), then you will not need to notify. If the information was sent to another organization (not a CE) then unfortunately you have potentially exposed information to an unauthorized individual.

Leave a Reply