IT Employment

General discussion


Who is responsible for confidential faxes sent to wrong number?

By jesc ·
Prudential Insurance is in the news becuase doctors and clinics were faxing confidential patient recordss to another company with an almost identical fax number.

If you are the company receiving the faxes in error, what are your obligations toward the confidentiality of the faxes?

Just becuase someone adds that goofy disclaimer on the bottom that many companies are mandating that says that an unintended receipiant is to destroy a fax received in error, is that binding? What if they just throw the fax away?

At what point does it even become your problem if some clinic you have no relationship with is sending highly confidential information that can be accessed by your employees?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -


by BFilmFan In reply to Who is responsible for co ...

HIPAA holds the sender to be responsible. Most other federal laws would hold that if you willingly discolse information to a third-party, you as the discloser are responsible.

Same principle as trash. If you put it in the trash and someone comes along and reads it, it's your problem not the readers...

Collapse -

Why me?

by jesc In reply to HIPAA

If someone discloses confidential information to a third party that they have no relationship then there is no expectation of privacy.

The company in the Prudential case did not ask for the records. It tried to contact the senders to tell them to stop until it became to time consuming and expensive. It contacted Prudential to ask them to address it. They also offered to forward the faxes to Prudential at a cost suffienct to cover their expenses. None of this worked.

Why would this second party be any more responsible then the garbage pickup service that picked up the faxes thrown in the trash.

If the trash was later raided to steal the confidential data then the trash company would be responsible. If the trash company dumped its trash at a landfill then the landfill company would be responsible.

The question becomes determining when responsibilty for releasing the information ends.

Collapse -

Other nonmedical confidential information is also a problem

by stress junkie In reply to Who is responsible for co ...

You may have heard about the Boston Globe newspaper wrapping its newspaper bundles with paper that had names and credit card numbers of a huge number of their subscribers. The Boston Globe issued an apology to its subscribers. Imagine that. An apology. There has been no word of any other consequences for this egregious breach of security and fuduciary responsibility. As far as I know nobody will lose their job. No criminal charges will be brought against the newspaper. No fines. Nothing. Meanwhile thousands of their customers are at risk of having their credit card numbers used by criminals.

It seems to me that there is room in the law to bring charges against the newspaper and its management. It also seems to me that this would be a good candidate for a class action suit from the newspaper's subscribers. I haven't heard anything along these lines though.

Collapse -

How hard can it be?

by tfitzpatrick In reply to Who is responsible for co ...

I happen to live in Manitoba, Canada where I believe this company that was receiving the faxes in error does business. I also understand that this went on for a period of about 18 months. My question is, how hard can it be to call Prudential and tell them to handle it. I am sure calls were made, but obviously whomever made the calls did not talk to the right people.

Now I hear the solution is that Prudential is buying the FAX number from the company. Here in Canada, this would not be swept under the carpet. I hope, for the sake of the people whose names and information were on those faxes, that the government goes after Prudential and makes them accountable.

Collapse -

Prudential was contacted

by jesc In reply to How hard can it be?

The company called Prudential and asked them to take action. Prudential's stand was that the fax number they published was correct, so it was not their problem. The company offered to sell Prudential the number for the cost of replacing and readvertising the new number to their customers. Prudential was not interested.

From a legal standpoint Prudential was not liable becuase the clinics were mis-keying the fax number. This wouls make the clinics liable, not Prudential.

So the underlying question for the company receiving the faxes is an ethical question, not just one of legality or cost.

Collapse -

Contrary to my previous post

by tfitzpatrick In reply to Prudential was contacted

In my previous post, I pointed the finger at the Manitoba company for not dealing with the faxes right away by calling Prudential.

I just read a great article that explains that this company called Prudential in October 2004 and did not hear anything back so they called again in April 2005. They were told by Prudential that it was not their problem. Turns out, the FAX number of the Manitoba company is only 1 digit different from Prudential's number.

According to the article, we are talking about thousands of documents for 1000's of claims. What are the odds that so many clinics would transpose the exact same number and end up calling the wrong company?

In my opinion, Prudential should at least make an attempt to prevent this by changing the number. The Manitoba company offered to sell the number, but Prudential refused and instead asked the company to keep forwarding the faxes by prepaid mail. Why should this small Manitoba company bear the cost of mailing the faxes to Prudential? By the way, doesn't faxing confidential information sound a little bit risky at the best of times?

Isn't it about time that companies like Prudential, who likely make millions of dollars in profit, step up and take resposibility, or at least appear to give a damn about their customer's and their personal data?

Collapse -

Think about it for a moment

by Quick1005 In reply to Who is responsible for co ...

Keep in mind the following points:
1) Prudential is asking for patient confidential data to be sent in by clinics and the like
2) That is similar to faxing a document with a social security number on it. Not a popular idea.
3) What data was being sent that needed to be there? Name, Social Security #, Patient ID.
4) Need to Know. What should have been on the document was the patient ID (Prudential ID#) and services rendered so that the data is protected.

Just my 2 cents. Fax and email services provided by Prudential in this case. If the sender is a 3rd party and can not dial or address the document correctly reconsider the 3rd party....

Collapse -

Maybe I'm missing something here but

by HAL 9000 Moderator In reply to Who is responsible for co ...

Shouldn't the company who was receiving the Faxes have contacted the senders and not the intended recipient?

Those Goofy little Disclaimers on the bottom of E-Mails and Faxes tell you to contact the sender if you get it by mistake not the intended recipient.

Here is one of those Goofy Disclaimers This e-mail is intended only to be read or used by the addressee. It is
confidential and may contain legally privileged information. If you are
not the addressee indicated in this message (or responsible for delivery of
the message to such person), you may not copy or deliver this message to
anyone, and you should destroy this message and kindly notify the sender by
reply e-mail. Confidentiality and legal privilege are not waived or lost by
reason of mistaken delivery to you.

Now this quite clearly tells the wrong recipient to contact the sender not the intended recipient as it is the senders responsibility to make sure that they address the items correctly be that an e-mail address or a Fax [Phone Number.]

If the sender is unaware of the mistake how can they fix it? This is a case of very poor management on the part of the company receiving these Faxes and it's just the same as if you walk into a bank to deposit funds into your account if you fill in the forms wrong who's responsible the bank for your own stupidity?

While it is a nice thing to do by notifying the intended receiver really the problem lies at the other end with those sending the Faxes in this case they messed up big time and should be held accountable. Just the same if the unintended receiver was to make this information public then they would be responsible for breaching any Privacy Laws in effect at the time.

In this case all that Prudential was responsible to do was to constantly send out the correct Fax Number and maybe highlight it or use a different Font so it was more visible but they are not responsible for the stupidity of the companies/medical practitioners sending the faxes who are only sending them in an attempt to get paid for their services I suppose. If the sender is incompetent they are responsible for their actions not the receiver unless the unintended receiver acts recklessly and allows these mistakes to become public knowledge.

If they where to just contact the sender and then shred the faxes they have acted responsibly. In this case if one sender was to send 100 copies of different faxes to the unintended recipient it would only require 1 phone call to correct not one for each fax.

Col ]:)

Collapse -

What you are missing

by jesc In reply to Maybe I'm missing somethi ...

If a company receives one bad fax they may out of the kindness of their heart honor the statement you list. The receiver should not feel under any obligation since the message is unsolicited and the receiver usually does not have a business relationship with the sender. Simply adding the statement to the bottom of a message does not bind them in any way.

What if you receive 500 faxes? What if you receive a 1000? At what point does the kindness of your heart become agrevation? Granted each company is probably only sending to the wrong fax number once. At the same time, should the company receiving all the erroneous faxes be obligated to hire additional personnel to continue notifying companies that they are faxing confidential data to the wrong person?

Perhaps the message on the bottom that you list should add, "We will reimburse any reasonable charges you incur in honoring our request to notify us if we mistakenly send you a fax."

In the case that a sender sent 100 copies to the wrong number, assuming 10 cents per copy, they would reimburse the wrong destination $10, plus say another $10 to cover labor and the phone call. Senders paying $20 for flooding someone's fax with unrequested trash would seem pretty reasonable. You would bet they would be more careful in the future.

I suppose the company could have also taken another route and called the patiences and asked them what they wanted done with their medical records. That might have been more interesting and kind of fun. ;-)

Collapse -

You're right there

by HAL 9000 Moderator In reply to What you are missing

Phoning the actual patient would have been an interesting experience. Although I'm inclined to think that it might have cause the company staff member some hard times by outraged patients.

Not to mention all the additional costs incurred by having at least one staff member constantly calling these people and the cost of the phone calls. :)

But if they did that they would more likely than not have an excellent case to take to Court and could make quite a bit of money out of the situation as they would be claiming for all the expenses incurred as well as counseling for the staff member/s involved in making the phone calls.

Col ]:)

Related Discussions

Related Forums