General discussion

  • Creator
    Topic
  • #2192387

    Who is responsible for confidential faxes sent to wrong number?

    Locked

    by jesc ·

    Prudential Insurance is in the news becuase doctors and clinics were faxing confidential patient recordss to another company with an almost identical fax number.

    If you are the company receiving the faxes in error, what are your obligations toward the confidentiality of the faxes?

    Just becuase someone adds that goofy disclaimer on the bottom that many companies are mandating that says that an unintended receipiant is to destroy a fax received in error, is that binding? What if they just throw the fax away?

    At what point does it even become your problem if some clinic you have no relationship with is sending highly confidential information that can be accessed by your employees?

All Comments

  • Author
    Replies
    • #3093119

      HIPAA

      by bfilmfan ·

      In reply to Who is responsible for confidential faxes sent to wrong number?

      HIPAA holds the sender to be responsible. Most other federal laws would hold that if you willingly discolse information to a third-party, you as the discloser are responsible.

      Same principle as trash. If you put it in the trash and someone comes along and reads it, it’s your problem not the readers…

      • #3093008

        Why me?

        by jesc ·

        In reply to HIPAA

        If someone discloses confidential information to a third party that they have no relationship then there is no expectation of privacy.

        The company in the Prudential case did not ask for the records. It tried to contact the senders to tell them to stop until it became to time consuming and expensive. It contacted Prudential to ask them to address it. They also offered to forward the faxes to Prudential at a cost suffienct to cover their expenses. None of this worked.

        Why would this second party be any more responsible then the garbage pickup service that picked up the faxes thrown in the trash.

        If the trash was later raided to steal the confidential data then the trash company would be responsible. If the trash company dumped its trash at a landfill then the landfill company would be responsible.

        The question becomes determining when responsibilty for releasing the information ends.

    • #3093079

      Other nonmedical confidential information is also a problem

      by stress junkie ·

      In reply to Who is responsible for confidential faxes sent to wrong number?

      You may have heard about the Boston Globe newspaper wrapping its newspaper bundles with paper that had names and credit card numbers of a huge number of their subscribers. The Boston Globe issued an apology to its subscribers. Imagine that. An apology. There has been no word of any other consequences for this egregious breach of security and fuduciary responsibility. As far as I know nobody will lose their job. No criminal charges will be brought against the newspaper. No fines. Nothing. Meanwhile thousands of their customers are at risk of having their credit card numbers used by criminals.

      It seems to me that there is room in the law to bring charges against the newspaper and its management. It also seems to me that this would be a good candidate for a class action suit from the newspaper’s subscribers. I haven’t heard anything along these lines though.

    • #3132907

      How hard can it be?

      by tfitzpatrick ·

      In reply to Who is responsible for confidential faxes sent to wrong number?

      I happen to live in Manitoba, Canada where I believe this company that was receiving the faxes in error does business. I also understand that this went on for a period of about 18 months. My question is, how hard can it be to call Prudential and tell them to handle it. I am sure calls were made, but obviously whomever made the calls did not talk to the right people.

      Now I hear the solution is that Prudential is buying the FAX number from the company. Here in Canada, this would not be swept under the carpet. I hope, for the sake of the people whose names and information were on those faxes, that the government goes after Prudential and makes them accountable.

      • #3132819

        Prudential was contacted

        by jesc ·

        In reply to How hard can it be?

        The company called Prudential and asked them to take action. Prudential’s stand was that the fax number they published was correct, so it was not their problem. The company offered to sell Prudential the number for the cost of replacing and readvertising the new number to their customers. Prudential was not interested.

        From a legal standpoint Prudential was not liable becuase the clinics were mis-keying the fax number. This wouls make the clinics liable, not Prudential.

        So the underlying question for the company receiving the faxes is an ethical question, not just one of legality or cost.

        • #3091792

          Contrary to my previous post

          by tfitzpatrick ·

          In reply to Prudential was contacted

          In my previous post, I pointed the finger at the Manitoba company for not dealing with the faxes right away by calling Prudential.

          I just read a great article that explains that this company called Prudential in October 2004 and did not hear anything back so they called again in April 2005. They were told by Prudential that it was not their problem. Turns out, the FAX number of the Manitoba company is only 1 digit different from Prudential’s number.

          According to the article, we are talking about thousands of documents for 1000’s of claims. What are the odds that so many clinics would transpose the exact same number and end up calling the wrong company?

          In my opinion, Prudential should at least make an attempt to prevent this by changing the number. The Manitoba company offered to sell the number, but Prudential refused and instead asked the company to keep forwarding the faxes by prepaid mail. Why should this small Manitoba company bear the cost of mailing the faxes to Prudential? By the way, doesn’t faxing confidential information sound a little bit risky at the best of times?

          Isn’t it about time that companies like Prudential, who likely make millions of dollars in profit, step up and take resposibility, or at least appear to give a damn about their customer’s and their personal data?

    • #3092461

      Think about it for a moment

      by quick1005 ·

      In reply to Who is responsible for confidential faxes sent to wrong number?

      Keep in mind the following points:
      1) Prudential is asking for patient confidential data to be sent in by clinics and the like
      2) That is similar to faxing a document with a social security number on it. Not a popular idea.
      3) What data was being sent that needed to be there? Name, Social Security #, Patient ID.
      4) Need to Know. What should have been on the document was the patient ID (Prudential ID#) and services rendered so that the data is protected.

      Just my 2 cents. Fax and email services provided by Prudential in this case. If the sender is a 3rd party and can not dial or address the document correctly reconsider the 3rd party….

    • #3092281
      Avatar photo

      Maybe I’m missing something here but

      by hal 9000 ·

      In reply to Who is responsible for confidential faxes sent to wrong number?

      Shouldn’t the company who was receiving the Faxes have contacted the senders and not the intended recipient?

      Those Goofy little Disclaimers on the bottom of E-Mails and Faxes tell you to contact the sender if you get it by mistake not the intended recipient.

      Here is one of those Goofy Disclaimers [b]This e-mail is intended only to be read or used by the addressee. It is
      confidential and may contain legally privileged information. If you are
      not the addressee indicated in this message (or responsible for delivery of
      the message to such person), you may not copy or deliver this message to
      anyone, and you should destroy this message and kindly notify the sender by
      reply e-mail. Confidentiality and legal privilege are not waived or lost by
      reason of mistaken delivery to you.[/b]

      Now this quite clearly tells the wrong recipient to contact the sender not the intended recipient as it is the senders responsibility to make sure that they address the items correctly be that an e-mail address or a Fax [Phone Number.]

      If the sender is unaware of the mistake how can they fix it? This is a case of very poor management on the part of the company receiving these Faxes and it’s just the same as if you walk into a bank to deposit funds into your account if you fill in the forms wrong who’s responsible the bank for your own stupidity?

      While it is a nice thing to do by notifying the intended receiver really the problem lies at the other end with those sending the Faxes in this case they messed up big time and should be held accountable. Just the same if the unintended receiver was to make this information public then they would be responsible for breaching any Privacy Laws in effect at the time.

      In this case all that Prudential was responsible to do was to constantly send out the correct Fax Number and maybe highlight it or use a different Font so it was more visible but they are not responsible for the stupidity of the companies/medical practitioners sending the faxes who are only sending them in an attempt to get paid for their services I suppose. If the sender is incompetent they are responsible for their actions not the receiver unless the unintended receiver acts recklessly and allows these mistakes to become public knowledge.

      If they where to just contact the sender and then shred the faxes they have acted responsibly. In this case if one sender was to send 100 copies of different faxes to the unintended recipient it would only require 1 phone call to correct not one for each fax.

      Col ]:)

      • #3133640

        What you are missing

        by jesc ·

        In reply to Maybe I’m missing something here but

        If a company receives one bad fax they may out of the kindness of their heart honor the statement you list. The receiver should not feel under any obligation since the message is unsolicited and the receiver usually does not have a business relationship with the sender. Simply adding the statement to the bottom of a message does not bind them in any way.

        What if you receive 500 faxes? What if you receive a 1000? At what point does the kindness of your heart become agrevation? Granted each company is probably only sending to the wrong fax number once. At the same time, should the company receiving all the erroneous faxes be obligated to hire additional personnel to continue notifying companies that they are faxing confidential data to the wrong person?

        Perhaps the message on the bottom that you list should add, “We will reimburse any reasonable charges you incur in honoring our request to notify us if we mistakenly send you a fax.”

        In the case that a sender sent 100 copies to the wrong number, assuming 10 cents per copy, they would reimburse the wrong destination $10, plus say another $10 to cover labor and the phone call. Senders paying $20 for flooding someone’s fax with unrequested trash would seem pretty reasonable. You would bet they would be more careful in the future.

        I suppose the company could have also taken another route and called the patiences and asked them what they wanted done with their medical records. That might have been more interesting and kind of fun. 😉

        • #3091712
          Avatar photo

          You’re right there

          by hal 9000 ·

          In reply to What you are missing

          Phoning the actual patient would have been an interesting experience. Although I’m inclined to think that it might have cause the company staff member some hard times by outraged patients.

          Not to mention all the additional costs incurred by having at least one staff member constantly calling these people and the cost of the phone calls. 🙂

          But if they did that they would more likely than not have an excellent case to take to Court and could make quite a bit of money out of the situation as they would be claiming for all the expenses incurred as well as counseling for the staff member/s involved in making the phone calls. 😀

          Col ]:)

        • #3102691

          Sloppy employees

          by da philster ·

          In reply to What you are missing

          Sounds like employees not being sufficiently trained and responsible.
          I frankly don’t mind too much when the occasional wrong number comes my way. It happens; people make mistakes.
          The problem is when it is pointed out, documented, and no corrective action is taken.
          At this point, my time is being wasted and that becomes a problem.
          Resolution……the faxes go directly into the trash. End of story.

    • #3093844

      Let’s just fax …

      by ru_trustified ·

      In reply to Who is responsible for confidential faxes sent to wrong number?

      our trade secrets and details of national security as well. Why are we bothering with encrytion when we have this ultra secure technology?

      • #3093755

        You got a point there…..

        by j.ringham ·

        In reply to Let’s just fax …

        My company has people in HR who are constantly faxing things, even though the program that they are printing/faxing the data from has a very simple e-mail capability. All I can do on my end is to try to show people how easy it is to e-mail, but if they are not comfortable with the technology, they won’t use it. Still and all, if they are faxing, I think it is their responsibility to get it right. It makes me wonder how this could go on for so long without someone connecting to the correct person in the company sending the faxes. We get items meant for other companies at times and it does not take us 18 months to get it fixed. We shred what we got and call the sender and tell them they need to get the correct number to fax to. Seems like there was a certain amount of “don’t give a…..” involved in the process.

    • #3093725

      A legal opinion

      by mejpsimard ·

      In reply to Who is responsible for confidential faxes sent to wrong number?

      It’s interesting for a lawyer to follow these discussions, so here goes…

      To hold anyone “accountable”, in the end, you must have proven damages. Otherwise, what are you holding them accountable for?

      In other words, although the events are certainly unfortunate, if they carry only “possible” consequences, without anything concrete, very little will result “legally” from such situations.

      The only people “accountable” without damages arising are people of professions like my own, ie lawyers, or doctor, etc. More precisely, anybody who has an oath which asks them to maintain a strick confidentiality under any circumstances.

      Anybody else then the forementionned professionnals are just gonna skip away in they are no real damages to be seen. At least, that my opinion when it comes to Canada.

      • #3253951
        Avatar photo

        That only works if nothing gets sent around

        by hal 9000 ·

        In reply to A legal opinion

        It’s entirely possible to receive your next doors neighbors medical records and if they where someone that you disliked and they had HIV and that was spread around then [b]Actual Damages[/b] do happen.

        A few years ago here in AU the Census Bureau sent all the filled in Census forms out to be pulped after they had entered all the data onto their data base and the carrier used an open top truck and bundles of Census Forms where bounced off the trucks caring them. Of course some bright spark had to pass on a whole bunch of these forms to the Media who raised [b]Hell[/b] quite rightly but if they had of just notified the proper authorities then there would have been no big deal as the missing forms would have been collected and pulped.

        The current AU Federal Government is littered with instances like this where records that are supposedly confidential have gone astray in vast amounts like Tax Returns, Medical Bills for payment through the State Sponsored Medicare Program and the like. In every case the complete forms have ended up falling off trucks while on their way to be pulped and have become public domain owing to the way that the media works here.

        While the instance that started off this thread doesn’t report any actual damages arising from this long term incompetence you have to agree that the potential did exist and if someone had their private medical records made public they would most likely be unable to trace the source of the leak. So if there was some [b]Actual Damages to Arise[/b] here the person so damaged wouldn’t be able to seek compensation for that Damage that had arisen because they wouldn’t be able to prove in any Court who was responsible for allowing that information to escape would they?

        Col ]:)

        • #3133633

          Public report of lost records required?

          by jesc ·

          In reply to That only works if nothing gets sent around

          Financial Industry companies are obligated under the law of an increasing number of states to report to the media when their confidential records of consumer data are compromised by third parties.

          I wonder that, since most medical records include social security numbers, this type of situation should be included under those laws. The fact that the clinic released confidential consumer data to a wrong fax number would indicate that records had been compromised. The clinic should then be under obligation to report to the media that they had released consumer data.

          Why should clinics be excepted from reporting since their data is probably alot more sensitive than just a name and social security number?

        • #3091707
          Avatar photo

          I agree

          by hal 9000 ·

          In reply to Public report of lost records required?

          Over here in AU they have to take responsibility for things like this happening and with some Privacy Laws Introduced in February 2005 by the AU Federal Government they are responsible and the Principals involved can face stiff jail terms if convicted of something like this happening.

          It’s part of the reason that I don’t touch Medical Systems any more as most of the Medical Software Packages require programs like PC Anywhere to be installed so that they can log in and update the programs on a regular basis. This requires a constant Internet connection and an open connection available to the system.

          The last time I spoke to the company involved with this particular software package they wouldn’t even accept a VPN into the system as it would be too much trouble for them to maintain, but then again they are not the ones who would be held responsible if a break in did occur. I just didn’t want to be the Tech responsible in a case like that. 🙂

          Col ]:)

Viewing 6 reply threads