First, please thank the caller for contacting us to let us know about the issue. (Take good notes of your conversation so you have details to enter into the HIPAA online system, once you hang up.)
Second, arrange with the caller to get the documents back. Do NOT ask the caller to throw them away. If the caller is a patient who plans to be back in the clinic in the next day or two, ask if he will return the document then. Otherwise, please tell the caller that you will send a self-addressed stamped envelope right away so the documents can be returned to the clinic. (You’ll need to know how many pages, so you have an idea of how much postage to put on the envelope.)
If the PHI was received by email, please ask the caller to delete the message and then empty the deleted items folder.
Third, let the caller know that we will send a statement for him to sign that says he understands that the information is confidential. Make a note in the file that you’ve advised the caller of the confidential nature. (A sample confidentiality statement is below.)
Finally, notify your supervisor of the call, so any necessary changes in process can be made to prevent similar errors from occurring. You or your supervisor will enter the incident in the HIPAA online system as soon as you end the call so we can track our actions, including your conversation and the return receipt of the documents. The University Privacy Official will review the file and determine any additional steps, such as mitigation, as details are entered.