5 Tips for HIPAA-Compliant Faxes

It is important to follow some best practices whenever you are sending or receiving PHI via fax. Here is a list of five key practices that will help you and your organization remain fully compliant with the HIPAA Privacy Rule.

5 tips for HIPAA compliant faxingIf you work in the healthcare field, – or if you do business with healthcare providers on a regular basis, – then chances are you’re familiar with HIPAA. Most people are familiar with HIPAA as the federal law that protects private patient information. In fact, the law covers considerably more than that, – but HIPAA’s so-called Privacy Rule gets the most attention.

If you are classified as a “covered entity” under HIPAA regulations, it’s important that you understand exactly what needs to be protected, how to protect it, and what the implications can be for non-compliance. Every year, the federal government’s Health & Human Services Office for Civil Rights imposes penalties on healthcare providers and other covered entities resulting from their failure to protect patient information.

It’s common practice in the healthcare field to send and receive faxes containing patients’ protected health information (PHI). While interoperability of electronic health records (EHRs) is in the works, we’re simply not there yet. Fax serves as one of the most secure and reliable means of communicating PHI with other healthcare providers, insurers, and healthcare exchanges.

Nevertheless, it is important to follow some best practices whenever you are sending or receiving PHI via fax. Here is a list of five key practices that will help you and your organization remain fully compliant with the HIPAA Privacy Rule.

#1: Don’t Let Incoming Faxes Sit in a Publicly Accessible Fax Machine

If you intend to use a traditional fax machine that prints out a paper document, then it’s best to get a dedicated line for any faxes containing PHI. The machine to which incoming faxes are sent should be in a location where access is limited, and employees must be trained to understand the implications of allowing authorized access to that area. Even better, incoming faxes should be retrieved as soon as they are available.

Outgoing faxes, likewise, should be sent from a machine located in a secure, access-controlled room. Alternatively, an authorized person sending faxes can remain at the machine until each transmission is complete so that the outgoing document is never left unattended.

#2: Switch to Cloud Fax

An even better practice is to use a secure HIPAA-compliant cloud fax service, which completely removes the need to be concerned with physical fax machines for incoming faxes, and for most if not all outgoing transmissions as well. Information is encrypted during transmission, and when faxes are stored.

Be sure that your cloud fax provider is willing to sign a business associate agreement (BAA) acknowledging their obligation to protect any PHI which is transmitted, received, or stored by them.

Not only is a HIPAA-compliant cloud fax service more secure; it also saves money, makes it faster and easier to send or receive a fax, and makes managing your faxes substantially similar.

#3. Always Use a Cover Page

Whenever you send a fax containing PHI, use an appropriate cover page containing an appropriate HIPAA disclaimer. This protects you in the event that the fax is inadvertently made available to an unauthorized person. While you can’t necessarily control what happens after your recipient receives a fax, the rate cover page can protect you from liability. A good HIPAA-compliant cloud fax provider will make adding a cover page a standard part of their workflow for outgoing faxes.

#4. Maintain a Clean Audit Trail

A good audit trail provides a clear, well-documented record of exactly what information was sent and received, when, and by whom. With a good HIPAA-compliant cloud fax service, you should have access to a complete record of your incoming and outgoing fax history. This provides substantial protection from potential fines.

#5. Avoid Storing PHI on Local Devices

Many of the high-profile breaches of the HIPAA Privacy Rule happened because PHI was saved to a local hard drive or mobile device, where a user failed to apply appropriate precautions by deleting it. If devices are subsequently stolen, lost, or disposed of without taking appropriate measures to destroy the data they contain; PHI could be inadvertently exposed, resulting in fines and penalties.

A good HIPAA-compliant cloud fax service should encrypt all documents and store all data in a highly secure data center, rather than on local devices.

Don’t take chances with HIPAA compliance. To find out more about secure HIPAA-compliant fax, contact WestFax today to talk to one of our experts.

Discover more