- OhioHealth’s Grant Medical Center has been sending faxes with patient information to the wrong person for months in an apparent HIPAA violation, reported ABC6 in Columbus, Ohio, on June 18.
The information in the faxes included patient name, weight, age, medical problem, history, and medications.
“We have been getting regular faxes over the last year or so from Grant Medical Center, with people's personal information attached,” Westerville, Ohio resident Elizabeth Spilker told ABC6.
Spilker said that she called the hospital about the errant faxes but was ignored. She also sent a note back to the hospital fax machine asking them to stop faxing her, but the faxes didn’t stop.
“It's almost always at the end of the day, and it will continue to try and fax you and ringing your phone number until you do something,” Spilker said.
Asked to comment on the incident and the apparent violation of the HIPAA Privacy Rule, OhioHealth sent HealthITSecurity.com this statement:
“We conducted a thorough review and audit of our fax system logs and found that three faxes were sent to the individual in error due to a transposed fax number in one patient’s medical record. The fax number has been corrected and we’re reaching out to the patient involved to make him or her aware. Ensuring the privacy of our patients is a top priority at OhioHealth and we apologize for this error."
Ohio Health said that the faxes contained personal information on only one patient and were sent over a six-month period, not a year, as Spilker claimed in the ABC6 report.
“If I wanted to I could do some real damage to this person with this information,” said Spilker. “But I don't want to do that. I want to solve the problem.”
She has shredded all the confidential health faxes, according to the report.
OhioHealth includes 29,000 associates, physicians, and volunteers, and a network of 11 hospitals, more than 200 ambulatory sites, hospice, home health, medical equipment, and other health services spanning 47 Ohio counties.
Some previous incidents of healthcare providers faxing medical information to the wrong number have resulted in HIPAA fines and lawsuits.
Last year, New York-based Mount Sinai St. Luke’s Hospital was sued for faxing patient PHI to the patient’s employer after it already agreed to pay $387,000 in fines to OCR as part of a HIPAA settlement. St. Luke’s specializes in treating individuals with HIV or AIDS and other chronic diseases.
“St. Luke's impermissibly disclosed PHI of two identified patients when Spencer Cox staff members faxed one individual's PHI to his workplace and the other individual's PHI to an office at which he volunteered,” stated the corrective action plan contained in the OCR HIPAA settlement. “Given the type of PHI involved, specifically information about HIV, AIDS, and mental health, the impermissible disclosures were egregious.”
“St. Luke's failed to reasonably safeguard two identified patients' PHI from any intentional or unintentional disclosure during faxing, resulting in an impermissible disclosure of both patients' PHI against their expressed instructions,” the plan continued.
Following the settlement, one of the patients sued St. Luke’s for pain and suffering resulting from the error. The lawyer representing the patient said in a blog post that the mistake, which involved sending his client’s HIV diagnosis and other embarrassing information, caused him stress and forced him to quit his job.
“Despite admitting its wrongdoing and paying a $387,000 fine to the government, Mount Sinai St. Luke’s Hospital has refused to even discuss a financial settlement with our client due to its unlawful actions,” the blog post read. “For these reasons, we have been forced to initiate this lawsuit, suing the hospital for negligence and negligent infliction of emotional distress.”
In a 2015 incident, Quest Diagnostics and a number of healthcare providers faced a class-action lawsuit after several hundred health files were mistakenly sent to a New York-based marketing firm over the course of a year.
The mistake was due to human error in which individuals from several healthcare providers incorrectly input Quest’s fax number, thus sending medical files to the marketing firm APS Marketing Group, instead of to Quest.
In a press release, the law firm representing the plaintiff charged that Quest was alerted to the breach but “did nothing to prevent the continued transmissions, failed to alert medical providers and patients, and failed to report the breach to authorities. As a result, the personal and sensitive medical information of hundreds of patients was disclosed to unauthorized third-parties, putting their security and privacy at great risk.”