Mobile Fax Apps and HIPAA Compliance


Much of the information that is shared between hospitals, doctors, insurance companies, and other healthcare entities is sent using fax. After all, fax is highly secure, flexible, and easy to use. For organizations that are sending and receiving Protected Health Information (PHI) and other confidential data, however, special precautions need to be taken, especially with regard to the use of mobile devices.

When smart pagers and mobile phones first appeared on the scene in the early 2000’s, IT administrators struggled with a new challenge; an entire category of new devices capable of storing confidential information began to proliferate. Although the general problem of mobile security can be effectively addressed by observing some basic security practices, organizations that deal with PHI need to take extra care in safeguarding patient information protected by HIPAA (the Health Insurance Portability and Accountability Act).

Phone with app open

For healthcare organizations that rely on mobile devices to share information, HIPAA-compliant fax provides a secure and dependable starting point. Accessing faxes from a mobile device conforms to HIPAA requirements, provided that certain policies and procedures are followed.

The overriding principles for HIPAA compliant use of mobile devices are:

Follow general standards for mobile device security

Begin by ensuring that users are following standard security practices for mobile devices. Most of us are familiar with these rules; for example, that users should prevent unauthorized access to their devices by using a secure password. Users should also apply software updates and patches promptly; as soon as they become available, and avoid connecting to unsecured Wi-Fi networks, especially when viewing data that may be sensitive or confidential. Finally, mobile device users should be careful about downloading and installing software that they have not researched in advance, as many mobile apps have been the source of malware.

While many of us know these rules well and follow them consistently, healthcare organizations should not assume that everyone necessarily knows about good mobile security practices. That’s why it’s important to regularly train users in basic security practices. This is especially true if employees are using their own personal device at work.

Have a clear set of written policies for the use of mobile devices

In addition to training, healthcare organizations should have clear written policies that outline required practices for any mobile device that will be used to access PHI. Such policies should clearly specify best practices for mobile device security, but should also cover additional topics, such as procedures to be followed in the event that a mobile device is lost or stolen. If the organization has a “bring your own device“ policy, then written guidelines should also address the steps that need to be taken when such a device is sold or otherwise disposed of.

For a template policy, a good place to start is John R. Christiansen’s “HIPAA Mobile Devices Policy – Open Source”.

WestFax offers a cloud-based electronic fax app that is already HIPAA compliant. Download it today (ANDROID / IOS). Organizations that follow some of the fundamental principles of good security, and who train employees to do likewise, are able to exchange Protected Health Information with confidence using electronic fax, knowing that private patient information will remain protected.