Provided by: Jennifer Kirschenbaum, Esq.
October 15, 2019
I sent to the wrong email address. Now what?
Recall! Recall by email if you cannot have your system catch and recall. Meaning, email immediately to the unintended recipient asking for the prior to be deleted permanently and for confirmation the email and content and any attachments were more viewed or retained.
If you receive the confirmation you have done what you can for immediate remediation. You may, however, have more work to prevent a future occurrence, which can include adoption of safeguards. Perhaps an email secondary confirmation before send. Or, clear auto populate.
If the sent message contained HIPAA information, depending on mitigation and recipient, you may have an obligation to report to OCR or the individual whose information was disclosed. Such breach reporting should be evaluated by a healthcare attorney for a few reasons, the most important in my view - If I look at the email and the remediation and I am wrong it is not a breach, and I advise you there is no need to report, you have now outsourced that assessment and partial responsibility. My assessment will be based entirely on facts provided so be sure to spill all the beans.
We all make mistakes. With HIPAA the issues arise if we fail to take remediate, prevent or take responsibility.