What to do if You Accidentally get Patient Health Information

Body

Introduction

This is a guide for university employees who don't work in our healthcare clinics but who might get Patient Health Information (PHI) accidentally delivered to them.  Proper handling of mis-routed PHI is important to protect the privacy of the patient and to meet the university's legal requirements under HIPAA (the Health Insurance Portability and Accountability Act).  Examples of mis-routed PHI include:

  • A patient of one of our clinics dials a wrong number and leaves you a voicemail referring to an appointment at a clinic.
  • An external healthcare partner tries to send a Fax with a request for patient records to one of our clinics, but mis-dials and it ends up on your fax machine.
  • An employee in one of our clinics tries to print a document but accidentally send it to your printer.
  • A letter from an insurance company lacks the information for Mail Services to deliver it correctly and ends up in your inbox.

What is PHI

PHI (Patient Health Information) is any information that could be used to link an individual with information about their health records or status as a healthcare patient.  A person's medical record is PHI, but so is a bill for services, or even a photo of someone entering a clinic.  When in doubt, treat anything referencing individuals and healthcare as PHI.  For more, see this information from the Department of Health and Human Services.

Non-Pacific PHI

If the PHI (Patient Health Information) comes from a healthcare entity not affiliated with the university, our legal responsibilities are precise.  Follow instructions (e.g. on a fax cover letter) on what to do with a mis-routed communication.  If there are no instructions, delete the electronic communication or shred the paper.

Pacific PHI

If the PHI (Patient Health Information) comes from a Pacific University clinic, do the following:

  1. Do not delete, shred or otherwise destroy the item containing PHI unless instructed to do so.
  2. Secure the PHI so that nobody else can see or take it.  If it's a print job on a printer, for instance, put the papers in a drawer in a locked office so that nobody else will see them.
  3. Contact the university's HIPAA Privacy Officer via the Report a Potential Privacy or Security Incident form to report the mis-routed PHI.  This form is HIPAA compliant (configured to securely handle PHI) so it's okay to enter patient identifying information into the form.
  4. You may be asked to delete or destroy the item containing PHI.  Wait for instructions from the Privacy Officer on how to do so.
  5. You may be asked to send the item containing PHI to the Privacy Officer or the Pacific clinic the information originated from or was meant for.
    1. For printed matter, inter-campus mail is considered secure.  Use a single use, sealed, secure envelope to help ensure nobody accidentally sees the contents.
    2. For electronic communications, do not email them.  Pacific does not consider unencrypted email secure enough for the transmission of PHI.  A HIPAA-secure Box folder will be shared with you that you can upload materials to.

See Also

How to Delete Call Records from a Phone

General Guidelines to Safeguard Protected Health Information - Policy

Questions?

Contact Support

Details

Details

Article ID: 158131
Created
Thu 8/14/25 11:05 AM
Modified
Thu 8/14/25 1:19 PM