In this article, we will take a closer look at the "why and how" of HIPAA compliant faxing.
Despite the fact that many people think of fax technology as an outdated mode of communication, — the reality is that fax plays a critically important role in maintaining the privacy of patients' protected health information (PHI). Covered entities that are subject to HIPAA's Privacy Rule have come to depend on modern cloud-based fax technology to exchange information with other healthcare providers, insurance companies, and trusted third parties whose job it is to help them serve their patients.
Although fax is highly secure, covered entities must ensure that their fax services are HIPAA compliant and willing to acknowledge their responsibilities by signing a business associate agreement (BAA). Healthcare providers and other covered entities must also implement best practices to remain HIPAA compliant, such as securing fax machines and multifunction printers (MFPs), using HIPAA-compliant cover pages, and ensuring that PHI is not stored in digital formats that may be accessible to unauthorized people.
In this article, we'll examine the “why and how” of HIPAA-compliant faxing.
The Health Instance Portability and Accountability Act of 1996 (HIPAA) requires that healthcare providers, insurance companies, HMOs, and virtually any other party routinely interested in patients' private medical information (“protected health information”, or PHI for short) must protect the privacy and security of that information at all times, both when it is “at rest” (e.g. stored on a hard drive) and “in transit” (e.g. when it is being transmitted from one covered entity to another.)
Although HIPAA is a complex law with far-reaching implications, there is a specific part of HIPAA known as the “Privacy Rule” that mandates the protection of PHI. This includes electronic PHI, also known as ePHI.
A HIPAA violation occurs when an entity subject to HIPAA fails to adequately safeguard PHI or fails to follow OCR guidelines by promptly notifying individuals whose PHI may have been compromised. HIPAA violations may be the result of ignorance (i.e. someone in the organization didn't know any better), or may be caused by outright negligence (i.e. they knew better but acted inappropriately anyway). OCR typically imposes penalties in both situations, although negligence can lead to significantly higher penalties.
This is why internal procedures and employee training are so important. Even if you're using a HIPAA-compliant e-mail service, for example, you may still be at risk of a violation if employees do not follow proper procedures to safeguard PHI. With HIPAA-compliant fax, there is simply a lot less to worry about.
In today's highly connected world, we often take it for granted that digital communications enable us to transmit virtually any kind of information anywhere in the world almost instantly. Not all digital modes of communication are created equal, though. While many people intuitively understand that e-mail is not always secure, for example, few actually pause to consider how e-mail might compromise information security.
The reason fax remains such a popular means of sending and receiving PHI in the healthcare industry is its fundamentally higher level of security. To put it another way, — there are substantially fewer things you need to worry about than with other modes of digital communication such as e-mail or SMS texting.
When it comes to HIPAA compliance, ignorance of security gaps is no excuse. The Federal Office of Civil Rights (OCR) does not shy away from imposing penalties on an organization simply because they weren't aware of a potential security gap. The less you have to think about, the better. If you're working with a cloud fax service provider who understands HIPAA, you can eliminate a lot of uncertainty.
It's critically important to look for a fax service provider who fully grasps the implications of HIPAA compliance, though. They should host your data in data centers that have 24x7 security, with controlled “need to know” access to physical servers. They should use state-of-the-art encryption for data in transit and at rest. They should also be prepared to offer guidance for remaining HIPAA compliant.
A great many HIPAA violations occur when PHI stored on local devices or hard drives is accessed by unauthorized parties. If an employee of a covered entity receives an e-mail containing PHI on their home computer, for example, that information could potentially be exposed to other people in their household, or to hackers who obtain a copy of the unencrypted data.
To avoid that kind of scenario, covered entities should implement physical and technical measures and procedures designed to prevent the transmission of information to unsecured devices. HIPAA-compliant cloud-based fax handles such matters automatically, maintaining data on secure servers and encrypting the information both at rest and in transit.
The use of physical fax machines offers certain advantages over less secure modes of communication such as e-mail or SMS text messaging. However, they still require that any machine used to send or receive PHI must be located in a space with controlled access and that printed documents be appropriately secured or destroyed.
Covered entities such as healthcare providers, insurance companies, and HMOs must have written standards and procedures in place, as well as a designated privacy officer who is responsible for developing and implementing policies for HIPAA compliance. Ongoing employee training with respect to the proper handling of PHI is also critical.
Many covered entities routinely share PHI with third-party service providers who have an ongoing role in helping them serve their patients. Medical transcriptionists, CPA firms, and technology providers may require access to patient information in order to fulfill their responsibilities. In the parlance of HIPAA, these are referred to as “business associates.” If you operate a covered entity, it's critical that such service providers take full responsibility for safeguarding PHI by signing a “business associate agreement” (BAA). This helps to ensure the privacy and security of patient information, and it provides you with important legal protections.
If your office is using fax as their preferred mode of secure communication, here are some tips to ensure you remain fully compliant with the HIPAA Privacy Rule:
HIPAA-compliant cloud fax from WestFax offers the best of all worlds, including gold-standard security, the ability to fax virtually any documents quickly and easily from a computer, easy access via a web browser, API integration, MFP integration, full auditability, and more. If you’re ready to get started with HIPAA-compliant fax, reach out to us today for a free no obligation consultation.
Dropbox is a popular service for storing and sharing files. Covered entities that are subject to HIPAA should approach Dropbox with caution, though, just as they would with any other technology platform.
Is text messaging HIPAA compliant? The general answer is no, although there are a few scenarios in which limited communication via SMS text messages may be acceptable. Nevertheless, it’s not advisable.
Although it’s possible to take steps that make e-mail more secure, there are always some risks involved. Even encrypted e-mails might not always pass muster. If your organization plans to use e-mail to send protected health information (PHI), it’s important to consider the risks very carefully.