Dr. G, 58, was a urologist with a solo practice. His business was thriving, and he employed both a nurse and an office manager to help him.

One morning, the office manager got a call from one of the practice’s patients, Mr. M, a 52-year-old, HIV-positive man who had been seeing Dr. G for a decade. Although he was happy with the treatment he had been receiving, Mr. M’s company was promoting him and he was relocating to another town. He called to ask Dr. G to fax his medical records to his new urologist.

The office manager was juggling numerous tasks, but managed to send the fax out later that day. The office did not have personalized fax cover sheets, just sheets that the office manager printed off once a week which had spaces to fill in the “to” and “from” sections. She hurriedly filled them in and shot off the fax, one of several she had to do before checking in the next patient.

At the end of the day she told Dr. G that it had been done. He thought nothing of it until the following Monday when the office manager came into the back office to speak to him. She was pale and looked shaken, and the physician immediately asked if she was okay.

“It’s Mr. M,” the office manager said. “He just called – absolutely furious. He says that we faxed his medical records to his employer rather than his new doctor, and that now his company is aware of his HIV status. He is extremely upset.”

“I’m so sorry,” the office manager said tearfully. “I was the one who sent that fax out. I must have accidentally grabbed the wrong number from his file. What should we do?” She looked at Dr. G for guidance.

Dr. G was holding his forehead, and trying to figure out how to remedy the situation. “The first thing we’re going to do is to call Mr. M and apologize. Then we’ll take it from there.”

The office manager and Dr. G called Mr. M and apologized profusely for the mix-up. Mr. M understood that it had not been done maliciously, but he was still not satisfied and reported the incident to the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR).

An initial investigation indicated that the incident was not criminal and so it was not referred to the Department of Justice.

Rather, it was handled by the OCR. OCR officials appeared at Dr. G’s office to look into the matter, and after a thorough investigation, the OCR issued a letter of warning to the office manager, referred the office staff for HIPAA privacy training, and had the office revise the fax cover sheets to underscore that they contain a confidential communication for the intended recipient only.