HIPAA Q&A
BAAs, faxing, and customer surveys
by Mary D. Brandt, MBA, RHIA, CHE, CHPS
Q: I recently received a customer satisfaction survey from a medical supply company. The survey was printed on a postcard, not enclosed in an envelope. The survey is generic and doesn’t include information about what services or supplies were received, but it does show my name and address and the name of the company. Anyone looking at it could know, or assume, that I received medical supplies. I don’t feel this is appropriate, but I’m not sure if this is a HIPAA concern.
A: Since no PHI was disclosed, this is not a HIPAA violation. If the survey were targeted to a specific type of supply, such as diabetes test kits, it could be considered a HIPAA violation because it disclosed information about your medical condition. A generic survey, such as the one you received, is not a concern.
Q: A situation recently arose with one of our business associates (BA). We have a copy of a business associate agreement (BAA) signed by the company; however, there have been some changes in personnel within the BA. The BA now claims it has no record of the BAA and does not feel it should be bound by the agreement. We suggested creating and signing a new BAA but the BA is reluctant to agree to do that. Is it a HIPAA breach if the BA no longer has a copy of the BAA?
A: As a covered entity (CE), you are required to have a written agreement with each of your business associates to secure the PHI to which the BA has access. If the BA claims it does not have a copy of the agreement previously signed, the BA is clearly not abiding by the agreement. You should (1) provide a copy of the existing agreement to the BA and obtain their agreement to abide by it; (2) have the BA sign a new agreement, or (3) terminate your contract with the BA.
Q: Is an organization required to notify a patient of a single misdirected fax?
A: You do not have to notify a patient of a single misdirected fax unless you have reason to believe it may have resulted in harm to the patient.
Q: We are having a problem with misdirected faxescaused by the phone company. Our electronic health record (EHR) auto-faxes ancillary reports and transcribed documents to physician offices whose fax numbers are set up in our system. Recently, I was contacted by two businesses who received misdirected faxes on more than one occasion. These faxes should have gone to one of our physicians. The fax number for these businesses is one digit off the physician office’s fax number.
Our modem dialed the correct fax number but a switch in the phone company’s system misdirected some pages of the fax to a wrong number. Our IT director/security officer has contacted the phone company numerous times to no avail. We are considering legal action against the phone company.
My question is: Who is in violation of HIPAA? Are we in violation even though our modem is dialing the correct number? Is the physician’s office in violation because the fax is being sent to them? Is the phone company in violation because its equipment is causing the problem, even though it is not a CE?
A: Your organization would probably be considered to be in violation because your PHI is being misdirected. If the problem involves only one physician, you may need to stop auto-faxing to that office until the problem can be resolved. If you believe the problem lies with the phone company’s equipment, a letter from your attorney may get the phone company to take this seriously.
Editor’s note
Brandt is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also an advisory board member for BOH. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Nicole Votta at [email protected].