GuardWell Compliance
HIPAA

Faxed Patient Records to the Wrong Number: Is It a HIPAA Breach?

By GuardWell Compliance Team·April 18, 2026·9 min read

Fax Machines and HIPAA: An Ongoing Risk

Despite the rise of electronic health records and secure messaging, fax machines remain a primary communication method in healthcare. Referrals, lab results, prescriptions, and medical records are faxed millions of times daily across the industry. And every fax sent to a wrong number is a potential HIPAA breach — one that lands physical pages of protected health information (PHI) in the hands of an unauthorized recipient with no technical mechanism to recall them.

If someone in your practice just faxed patient records to the wrong number, here is what you need to do and how to determine whether it rises to the level of a reportable breach.

Step 1: Confirm What Was Sent and Where It Went

Pull the fax confirmation report immediately. Identify:

  • The number the fax was actually sent to (compare against the intended recipient)
  • Whether the transmission was successful (a failed transmission may mean no PHI was delivered)
  • Exactly what pages were included — the types of PHI matter for your risk assessment
  • How many patients’ records were in the fax

If you can identify who received the misdirected fax (for example, you dialed a number one digit off and reached another business), contact the unintended recipient immediately. Ask them to confirm destruction of the pages and document that conversation, including the date, time, and the name of the person you spoke with.

Step 2: Apply the Four-Factor Breach Risk Assessment

Under 45 CFR §164.402, an impermissible use or disclosure of PHI is presumed to be a breach unless you can demonstrate a low probability that the PHI was compromised. The four-factor risk assessment evaluates:

  1. Nature and extent of PHI involved: A fax containing a patient’s name and appointment date is lower risk than one containing diagnoses, Social Security numbers, or substance abuse treatment records. The more sensitive the data, the higher the risk.
  2. Who received the PHI: Was the unintended recipient another healthcare provider (who has their own HIPAA obligations), a business, or an unknown residential number? A fax received by a covered entity or business associate carries lower risk because they are independently obligated to protect PHI.
  3. Whether the PHI was actually acquired or viewed: If you contacted the recipient and they confirmed the fax was received but not read and was immediately shredded, this weighs in your favor. If the fax went to an unknown number with no response, you may not be able to demonstrate this factor.
  4. Extent of mitigation: Prompt contact with the recipient, confirmed destruction, and documented follow-up all support a finding that the risk was mitigated.

When a Wrong-Number Fax Is Not a Reportable Breach

A misdirected fax may not require breach notification if your risk assessment demonstrates a low probability of compromise. Common scenarios where practices have successfully avoided notification include:

  • The fax was sent to another covered entity that confirmed immediate destruction
  • The fax contained limited PHI (name and appointment only) and the recipient confirmed they did not read or retain it
  • The fax failed to transmit (confirmed by the fax log showing an error)

Even if notification is not required, you must still document the incident, your risk assessment, and your reasoning in your breach log. Under 45 CFR §164.530(j), this documentation must be retained for six years.

When Notification Is Required

If you cannot demonstrate a low probability of compromise — for example, the fax went to an unknown number and no one responded to your callback attempts — the incident is a reportable breach. You must follow the HIPAA breach notification rules:

  • Notify the affected individual(s) within 60 days of discovery (45 CFR §164.404)
  • Report to HHS — immediately if 500+ individuals are affected, or by year-end for smaller breaches (45 CFR §164.408)
  • If 500+ individuals in a single state are affected, notify prominent local media (45 CFR §164.406)

For a single misdirected fax, the number of affected individuals is typically small, which means annual reporting rather than immediate HHS notification. But the obligation to notify the affected patient(s) within 60 days still applies.

The Minimum Necessary Exception That Does Not Apply Here

Some practices mistakenly believe that the minimum necessary standard somehow reduces their liability for a misdirected fax. It does not. The minimum necessary rule (45 CFR §164.502(b)) requires you to limit disclosures to the minimum PHI necessary for the purpose — but a wrong-number fax is an impermissible disclosure regardless of how much PHI was included. The minimum necessary standard is about what you should have sent; the breach assessment is about what happened when it went to the wrong place.

That said, the minimum necessary standard is relevant to prevention. If your practice routinely faxes full medical records when only a lab result was requested, you are increasing both your compliance risk and the potential impact of a misdirected fax.

Mitigation Steps to Take Immediately

  • Call the wrong number. Explain (without disclosing additional PHI) that a fax was sent in error and ask the recipient to destroy all received pages. Document the call.
  • Send a cover sheet to the wrong number requesting destruction of the misdirected fax.
  • Notify your Privacy Officer and initiate your incident management workflow.
  • Document everything: The fax log, your risk assessment, the mitigation steps taken, and the outcome.
  • Review the root cause: Was the wrong number manually dialed, pulled from an outdated directory, or auto-populated incorrectly? Address the root cause to prevent recurrence.

Preventing Misdirected Faxes

Most misdirected faxes result from manual dialing errors or outdated fax directories. Practical controls include:

  • Using pre-programmed speed-dial numbers for frequent recipients and verifying them quarterly
  • Requiring double-verification of fax numbers before sending PHI
  • Including a confidentiality notice on all fax cover sheets
  • Transitioning to secure electronic messaging or Direct messaging where possible
  • Conducting regular risk assessments that evaluate fax-related risks alongside electronic threats

Fax errors are among the most common sources of HIPAA breaches reported to OCR. A few simple process changes can dramatically reduce your exposure.

Frequently Asked Questions

Is every misdirected fax a HIPAA breach?

Not necessarily. Every misdirected fax containing PHI is an impermissible disclosure that requires a four-factor risk assessment under 45 CFR §164.402. If the assessment demonstrates a low probability that the PHI was compromised — for example, the recipient confirmed immediate destruction — it may not require breach notification. However, you must still document the incident and your analysis.

What if the wrong recipient is another doctor’s office?

If the fax was received by another covered entity, they have their own HIPAA obligations to protect PHI. This factor weighs in your favor during the risk assessment. Contact the receiving office, confirm they will destroy the misdirected pages, and document the exchange. This scenario frequently supports a finding of low probability of compromise.

Do I need to tell the patient about a misdirected fax?

If your four-factor risk assessment determines a breach occurred (i.e., you cannot demonstrate low probability of compromise), you must notify the affected patient within 60 days of discovery under 45 CFR §164.404. If the assessment supports a finding of no breach, notification is not required — but some practices choose to notify patients voluntarily as a goodwill measure.

Should we stop using fax machines entirely?

HIPAA does not prohibit faxing PHI. However, fax-related incidents are among the most frequently reported breaches. Transitioning to secure electronic messaging, Direct messaging, or encrypted email for PHI transmission significantly reduces risk. If your practice continues to fax, implement pre-programmed numbers, double-verification protocols, and confidentiality cover sheets to minimize errors.

fax HIPAA breachwrong fax number PHIbreach assessmentminimum necessarydisclosure

Part of our guide to

HIPAA Compliance

See how GuardWell helps medical practices manage hipaa compliance end to end — checklists, policies, training, and audit-ready documentation in one platform.

Ready to simplify compliance?

GuardWell brings HIPAA, OSHA, OIG, and 7 more compliance modules into one affordable platform built for medical practices.

Start Free Trial

Related Articles

HIPAA

HIPAA Breach Risk Assessment: The 4-Factor Test Explained

Understand how to apply the HIPAA four-factor breach risk assessment to determine whether an impermissible use or disclosure of PHI requires breach notification.

HIPAA

We Sent PHI to the Wrong Patient — Now What?

A misdirected fax, email, or patient portal message containing PHI is one of the most common HIPAA incidents. Here is your step-by-step response plan for the first 72 hours.

HIPAA

HIPAA Breach Notification: Rules, Timelines, and Penalties

A complete guide to HIPAA breach notification requirements — what constitutes a breach, notification timelines, how to report to OCR, and the penalties for non-compliance.

Start your compliance journey today

Join practices using GuardWell Compliance to stay ahead of HIPAA audits, OCR enforcement, and state regulatory inspections — $199/month with annual billing. Try free for 7 days.

No setup fees · No contracts · Cancel anytime

GuardWell

Healthcare Compliance Assistant

Hi! I'm GuardWell's sales assistant.

I can answer questions about our healthcare compliance platform, pricing, and features. How can I help?

Powered by GuardWell AI