Privacy Officer's Roundtable

Policy/Standard Work re: Receiving Misdirected PHI

  • 1.  Policy/Standard Work re: Receiving Misdirected PHI

    Posted 12-07-2018 12:35 PM

    Hello - what is your organizations policy/procedure re: receiving misdirected PHI from another facility?
    Do individual departments contact the sender? Or are these sent to your privacy office to coordinate the return?

    In our EMR, providers occasionally receive in-basket messages re: individuals who are not their patients; similarly, departments occasionally report receiving faxes that are not meant for them.

    We are looking to create a standardized approach to these types of scenarios in order to ensure patient care is not adversely affected by not notifying the sender in a timely manner.

    I appreciate your feedback and suggestions. 



    ------------------------------
    Kale Sopoaga
    Compliance and Legal Analyst
    Montage Health
    ------------------------------
    2020 SCCE Membership


  • 2.  RE: Policy/Standard Work re: Receiving Misdirected PHI

    Posted 12-10-2018 09:44 AM

    These items come to me for f/up – I try to get at the root of why we are getting them. Not always easy but doing so has decreased the number we receive.

     

    Thank you,

    Sharon Taylor, RN, MS, CIC, CPHRM, CHC, CHPC        

    Director Risk Management/ Accreditation Services

    Burgess Health Center

    1600 Diamond Street

    Onawa, IA 51040

    Tel: 712-423-9248

    Fax: 712-423-9322

    E-mail: staylor@burgesshc.org

    Website: www.burgesshc.org

     

     

    image017.jpg@01CD7F97.28704CD0

     

    Quality Care You Can Believe In

    Electronic Mail Confidentiality Notice:

    This electronic mail message and all attachments may contain confidential information belonging to the sender or the intended recipient. This information is intended ONLY for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution (electronic or otherwise), forwarding or taking any action in reliance on the contents of this information is strictly prohibited. If you have received this electronic transmission in error, please immediately notify the sender by telephone, facsimile, or email to arrange for the return of the electronic mail, attachments, or documents.

     




    2020 SCCE Membership


  • 3.  RE: Policy/Standard Work re: Receiving Misdirected PHI

    Posted 06-16-2020 11:05 AM
    Kale

    My opinion is that the misdirected PHI incident should go to the Compliance Officer/Privacy Officer or a member of that staff.  Only they are experts to determine if a misdirected PHI is indeed a breach or if it meets the definition for an exemption to a breach.  Thoughts?

    ------------------------------
    Hernan Serrano
    St. Louis Metro Area
    ------------------------------

    2020 SCCE Membership


  • 4.  RE: Policy/Standard Work re: Receiving Misdirected PHI

    Posted 06-17-2020 08:09 AM
    I think you can create a guideline for how to handle misdirected information.

    ------------------------------
    Brenda Manning J.D., C.H.C., C.H.P.C.
    Privacy Director
    Interim Privacy Officer
    Carilion Clinic

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------

    2020 SCCE Membership


  • 5.  RE: Policy/Standard Work re: Receiving Misdirected PHI

    Posted 06-18-2020 09:23 AM
    ​Kale,
    My approach to misdirected PHI is that as a Privacy Officer I need to know if the hospital is sending PHI to incorrect recipients. These are all potential breaches which need to be investigated. By the same token I think my fellow privacy officers would like the same information if their CEs are sending misdirected PHI.
    This is the procedure portion of our policy on misdirected PHI:

    A.
    Any Crystal Clinic employee who becomes aware, by any means, that Crystal Clinic has sent or otherwise misdirected any PHI to a person or entity to whom it was not intended shall immediately contact that person or entity and:
      1. Request them to NOT destroy the PHI;
      2. Request them to return the original PHI, including cover sheets, to the Crystal Clinic HIPAA Privacy Officer by US Mail, 3925 Embassy Parkway, Suite 250, Akron, OH 44333 or return it in person to any Crystal Clinic facility;
      3. Obtain full name, address and telephone number of the person or entity to whom the PHI was misdirected;
      4. Complete a HIPAA Incident report and forward it electronically, in MS Word format, to the Crystal Clinic HIPAA Privacy Officer.
      5. The Crystal Clinic Privacy Officer will conduct an investigation as required by Crystal Clinic Policy HIP 14-02, HIPAA Impermissible Disclosure and Breach Policy.

    B.
    Any Crystal Clinic employee who becomes aware, by any means, that Crystal Clinic has received, from outside Crystal Clinic, any communication containing PHI that is not intended for a Crystal Clinic entity or workforce member is to:
    1. Immediately notify the person or entity that has sent or otherwise misdirected the PHI to Crystal Clinic, that it was received in error and that it will be returned by US Mail.
    2. Even if requested, the PHI is not to be shredded or destroyed.
    3. The PHI is to be sent to the Crystal Clinic HIPAA Privacy Officer by interoffice mail, with original envelopes or cover sheets and a note indicating when and where in Crystal Clinic it was received and who was notified.
    4. No copies should be made or retained.
    5. The Crystal Clinic Privacy Officer will return the PHI to the sender with a cover letter indicating when and how it was received at Crystal Clinic.
    C.
    Communications or documents containing PHI which originate within Crystal Clinic but are misdirected to the wrong location within Crystal Clinic may represent an impermissible use under the HIPAA Privacy Rule. In such instances a HIPAA Incident Report must be completed and sent to the HIPAA Privacy Officer with a copy of each page, including cover page(s) of the misdirected document(s). The original document may be forwarded to the intended addressee and so noted on the HIPAA Incident Report.

    D.
    Communications or documents containing PHI which are received at any Crystal Clinic entity, department or clinic from outside Crystal Clinic that are intended for another Crystal Clinic entity but are misdirected to the wrong location within Crystal Clinic should be placed in an interoffice envelope and sent to the correct location. No HIPAA Incident Report is required.

    Charlie

    ------------------------------
    Charles Colitre BBA, CHC, CHPC
    Compliance & Privacy Officer
    Crystal Clinic Orthopaedic Center
    Akron,OH
    ------------------------------

    2020 SCCE Membership


  • 6.  RE: Policy/Standard Work re: Receiving Misdirected PHI

    Posted 06-18-2020 09:39 AM
    Looking good Charlie.  I'm thinking from a C&C perspective...how many folks in other organizations when they see a misdirected fax likely just toss it into the shred bin and move on as they are "too busy" to follow up.

    This is one area where I tend to make that extra effort to notify the sender because I'm often thinking that a misdirected fax, in my example, was likely sent for a purpose and someone's healthcare may be impacted because the intended recipient did not receive it.

    Thanks for sharing Charlie.  Your policy lends itself to a very nice flowchart that staff can use to identify "next steps" in a logical and consistent manner...in my opinion.  Well done!

    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄
    Bill Wong's Resource Folder: https://bit.ly/BillWong
    Super Summer Slam Study Squad sign up: CLOSED

    ░ Pass the Exam Group for 2020 ░
    Melissa Singleton - Jan - CHPC
    Julie Clutter - Jan - CHPC
    Tanisha Grant - Feb - CHC
    Lisa Bibby - Jan - CHPC
    Kelly Puida - Mar - CHPC
    Christina Serrano - Mar - CHC
    Rachel Anderson - May - CHC
    Melissa Alexander - June - CHC
    ------------------------------

    2020 SCCE Membership


  • 7.  RE: Policy/Standard Work re: Receiving Misdirected PHI

    Posted 06-19-2020 10:16 AM
    Thank you so much, Charlie - this is very helpful.

    ------------------------------
    Kale Sopoaga
    Director, Risk Management and Privacy
    Montage Health
    ------------------------------

    2020 SCCE Membership