We Sent PHI to the Wrong Patient — Now What?

A fax went to the wrong number. A patient portal message was sent to the wrong patient. An email with lab results was addressed to the wrong person. A prescription was attached to the wrong chart. Whatever the specific situation, protected health information just went to someone who should not have received it. This happens in medical practices every single day — it is one of the most common HIPAA incidents reported to HHS. Here is exactly what to do, step by step, starting right now.

Step 1: Stop the Disclosure (First 15 Minutes)

Your immediate priority is to contain the exposure and prevent further disclosure:

• Fax: Call the recipient number immediately. Ask the person who answered to destroy the fax without reading or copying it. Document who you spoke with and what they agreed to do.
• Email: If your email system supports message recall, attempt it immediately (though recall is unreliable). Contact the recipient and ask them to delete the email without forwarding or saving it.
• Patient portal: Contact your EHR vendor immediately to determine if the message can be retracted or deleted from the recipient's portal view. Some systems support message recall; many do not.
• Physical mail: If you realize the error before the mail is picked up, retrieve it. If it has already been sent, you cannot recall it — move to the next steps.
• Document every containment action you take, including the time, who you contacted, and the outcome.

Step 2: Document the Incident (First Hour)

Before memories fade and details blur, create a written record of exactly what happened:

• What PHI was disclosed (patient name, diagnosis, lab results, medications, etc.)
• How many patients' information was involved
• Who the information was sent to (the unintended recipient)
• How the disclosure occurred (human error, system glitch, mislabeled chart)
• When it happened and when it was discovered
• What containment actions were taken and their results
• Who on your staff was involved

Step 3: Conduct the Four-Factor Breach Risk Assessment (First 48 Hours)

Under HIPAA, not every impermissible disclosure qualifies as a reportable breach. The Breach Notification Rule requires you to perform a four-factor risk assessment to determine whether the incident rises to the level of a breach requiring notification. The four factors are:

1. The nature and extent of the PHI involved: What types of identifiers and clinical information were disclosed? A misdirected fax containing a patient name, date of birth, Social Security number, and HIV diagnosis is very different from one containing only a name and appointment date.
2. The unauthorized person who received the PHI: Was it another patient of the practice (who may have their own obligation to protect health information), a random individual, or an entity with no relationship to healthcare?
3. Whether the PHI was actually acquired or viewed: Can you confirm the recipient did not read the information? Did they confirm destruction? If the fax machine was in an unattended area, you may not be able to confirm this.
4. The extent to which the risk has been mitigated: Did you obtain the recipient's assurance that the information was destroyed? Did you retrieve the misdirected document?

If your risk assessment determines there is a low probability that the PHI was compromised, you may conclude it is not a reportable breach. However, you must document this analysis in writing — the burden of proof is on you to demonstrate why notification was not required. If you cannot demonstrate low probability of compromise, it is presumed to be a breach and notification is required.

Step 4: Determine Your Notification Obligations (If It Is a Breach)

If your risk assessment determines this is a reportable breach, several notification clocks start running:

• Individual notification: You must notify the affected patient(s) in writing within 60 days of discovering the breach. The notification must describe what happened, the types of PHI involved, steps the individual should take, what you are doing in response, and contact information for questions.
• HHS notification: If fewer than 500 individuals are affected, you must report the breach to HHS through the OCR breach portal within 60 days of the end of the calendar year in which the breach was discovered. If 500 or more individuals are affected, notification to HHS must occur within 60 days of discovery.
• State notification: Many states have their own breach notification laws with shorter deadlines. Some states require notification within 30 days, and some require notification to the state attorney general regardless of the number of individuals affected. Check your state's specific requirements.

Step 5: Implement Corrective Actions (First Week)

Address the root cause to prevent recurrence:

• If the error was a misdirected fax: Implement a fax cover sheet protocol requiring verification of the recipient number before transmission. Consider using a secure electronic fax service that maintains a verified contact directory.
• If the error was a portal or email mistake: Review your workflow for matching messages to patients. Implement a two-step verification process where the sender confirms the recipient identity before sending.
• If the error was a chart or record mix-up: Review your patient identification procedures and consider additional verification steps at the point of record retrieval.
• Retrain the involved staff member — not as punishment, but as a documented corrective action. Training should focus on the specific workflow that failed.
• Document all corrective actions with dates and responsible parties. This documentation is critical if OCR later investigates.

Common Mistakes Practices Make After a Misdirected PHI Incident

• Not documenting the incident at all — hoping it will simply go away. Every PHI incident must be logged and assessed, even if you determine it is not a reportable breach.
• Skipping the four-factor risk assessment — this is required under HIPAA and its absence is itself a violation.
• Terminating the employee immediately — while a sanction policy is required, firing someone for an honest mistake without a documented progressive discipline process can create a hostile environment that discourages future incident reporting.
• Not checking state law — federal HIPAA rules are the floor, not the ceiling. Your state may impose stricter requirements.

Misdirected PHI is one of the most preventable compliance incidents. A practice with documented procedures, trained staff, and a system for logging and tracking incidents can handle these situations quickly and correctly. GuardWell's incident tracking, breach risk assessment tools, and state-specific breach deadline calculator help practices respond confidently when these situations arise — and build the documentation that demonstrates responsible compliance management.