We have received some recent inquiries from offices
regarding the following question:
If a patient's results go to a physician who is not providing
direct or indirect treatment to the patient, this would be considered an
incident involving an unauthorized disclosure, and as many of you know, would
be considered a HIPAA violation. The good news is that (in the example above)
since both physicians would also be considered covered entities, they too are bound
to comply with the HIPAA regulations, so the risk of harm to the patient would
be in the low to extremely low range.
Thus, you would need to record this in the accounting of
disclosures database or tracking mechanism (Disclosure Log) for this patient.
Other than that, you are good to go, and hopefully whatever caused the mix-up
can be chalked up to a good lesson learned without too much pain.