Mobile fax apps and HIPAA compliance

Fax is widely used in healthcare for sharing information securely. However, when handling sensitive data like Protected Health Information (PHI), extra precautions are necessary, particularly when using mobile devices.

Phone with app openMuch of the information that is shared between hospitals, doctors, insurance companies, and other healthcare entities are sent using fax. After all, fax is highly secure, flexible, and easy to use. For organizations that are sending and receiving Protected Health Information (PHI) and other confidential data, however, special precautions need to be taken, especially with regard to the use of mobile devices.

When smart pagers and mobile phones first appeared on the scene in the early 2000s, IT administrators struggled with a new challenge; an entire category of new devices capable of storing confidential information began to proliferate. Although the general problem of mobile security can be effectively addressed by observing some basic security practices, organizations that deal with PHI need to take extra care in safeguarding patient information protected by HIPAA (the Health Insurance Portability and Accountability Act).

HIPAA-compliant fax provides a secure and dependable starting point for healthcare organizations that rely on mobile devices to share information. Accessing faxes from a mobile device conforms to HIPAA requirements, provided that certain policies and procedures are followed.

The overriding principles for HIPAA-compliant use of mobile devices are:

  • Information should never be forwarded without the patient’s consent.
  • Data should not be accessed or stored any longer than needed.
  • Data should be encrypted to provide an additional layer of safeguarding against breach of confidentiality.

Follow general standards for mobile device security

Begin by ensuring that users are following standard security practices for mobile devices. Most of us are familiar with these rules; for example, users should prevent unauthorized access to their devices by using a secure password. Users should also apply software updates and patches promptly; as soon as they become available, and avoid connecting to unsecured Wi-Fi networks, especially when viewing data that may be sensitive or confidential. Finally, mobile device users should be careful about downloading and installing software that they have not researched in advance, as many mobile apps have been the source of malware.

While many of us know these rules well and follow them consistently, healthcare organizations should not assume that everyone necessarily knows about good mobile security practices. That’s why it’s important to regularly train users in basic security practices. This is especially true if employees are using their own personal devices at work.

Have a clear set of written policies for the use of mobile devices

In addition to training, healthcare organizations should have clear written policies that outline required practices for any mobile device that will be used to access PHI. Such policies should clearly specify best practices for mobile device security, but should also cover additional topics, such as procedures to be followed in the event that a mobile device is lost or stolen. If the organization has a “bring your own device“ policy, then written guidelines should also address the steps that need to be taken when such a device is sold or otherwise disposed of.

For a template policy, John R. Christiansen’s “HIPAA Mobile Devices Policy – Open Source” is a good place to start.

WestFax offers a cloud-based electronic fax app that is already HIPAA compliant. Download it today (ANDROID / iOS). Organizations that follow some of the fundamental principles of good security, and who train employees to do likewise, are able to exchange Protected Health Information with confidence using electronic fax, knowing that private patient information will remain protected.

Discover more