14. What do I do if I get a call from someone who says they were given a copy of another patient’s PHI or that they received a patient’s PHI by mail or fax?
Take these four steps:
First, please thank the caller for contacting us to let us know about the issue. (Take good notes of your conversation so you have details to enter into the HIPAA online system, once you hang up.)
Second, arrange with the caller to get the documents back. Do NOT ask the caller to throw them away. If the caller is a patient who plans to be back in the clinic in the next day or two, ask if he will return the document then. Otherwise, please tell the caller that you will send a self-addressed stamped envelope right away so the documents can be returned to the clinic. (You’ll need to know how many pages, so you have an idea of how much postage to put on the envelope.)
If the PHI was received by email, please ask the caller to delete the message and then empty the deleted items folder.
Third, let the caller know that we will send a statement for him to sign that says he understands that the information is confidential. Make a note in the file that you’ve advised the caller of the confidential nature. (A sample confidentiality statement is below.)
Finally, notify your supervisor of the call, so any necessary changes in process can be made to prevent similar errors from occurring. You or your supervisor will enter the incident in the HIPAA online system as soon as you end the call so we can track our actions, including your conversation and the return receipt of the documents. The University Privacy Official will review the file and determine any additional steps, such as mitigation, as details are entered.
Sample Statement of Confidentiality: Make the correct selections, based on your facts.
The xxx Clinic/Office thanks you for returning/deleting the documents that you received in error. Please sign the statement below and return it in the self-addressed stamped envelope with the documents that you received (do not include, if PHI was emailed). Thank you.
I received a copy of health information that belongs to someone else. I understand that this information is confidential, and I will keep it confidential. I am returning/have deleted all copies.
Signed: _________________________ Dated: _______________________________
Return to FAQ List