Regulatory compliance

HIPAA compliance

HIPAA compliance for fax means protecting electronic protected health information (ePHI) under the HIPAA Security and Privacy Rules — encryption in transit and at rest, strict access controls, audit logging, and a signed Business Associate Agreement with every vendor that touches the data. WestFax meets or exceeds both rules as your Business Associate, bringing the safeguards that support your compliance, with a BAA included on every plan.

A clinician collecting patient documents from a fax-enabled multifunction printer in a hospital ward
HIPAA

The matrix

The HIPAA compliance matrix

Here’s how WestFax addresses each HIPAA rule, requirement, and safeguard.

HIPAA ruleRequirementWestFax assurance
Privacy RuleDefines the covered entities and other entities that may handle ePHI, and sets Business Associate requirements. §164.305(a)WestFax meets or exceeds the requirements of both the Security Rule and the Privacy Rule. As a Business Associate, we maintain the policies and procedures as well as the physical and technical safeguards that support your compliance.
Security RuleTechnical safeguards — the technology plus the policies and procedures for its use — that protect ePHI and control access to it. §164.304WestFax addresses each area of concern with modern technology and resilient systems design, and actively manages and audits its systems for security and incident response. Compliance support spans FISMA High / NIST SP 800-53, HIPAA, PCI DSS Level 1, SOC 2 Type II, and SOC 3.
Physical securitySecuring processing resources to prevent unauthorized access, theft, or destruction. §164.312(a)(1)Systems are deployed in secure SOC 2-compliant data centers.
24×7 guard staff and video/DVR surveillance of the facility and server cages.
ID and authorization required to enter, with extra biometric control of private-cloud areas.
Strictly controlled, logged, and audited third-party access.
Access controlTechnical policies and procedures that allow ePHI access only to authorized persons or software programs. §164.308(a)(4)ePHI is isolated to servers and storage in the WestFax private-cloud environment.
Software and systems require user passwords.
Unique user identificationAssign a unique name and/or number for identifying and tracking user identity. §164.312(a)(2)Usernames are unique and every session that provides access to data is authenticated.
Password-complexity policies prevent passwords from being guessed or compromised.
User-activity logging captures access and activity.
Automatic log-offTerminate an electronic session after a predetermined time of inactivity. §164.312(a)(2)(iii)Applications automatically log out idle users after a specified period.
Access and permissions are reaffirmed each time the application is reopened.
“Remember me” features are disabled to remove the risk of password compromise.
Person or entity authenticationVerify that a person or entity seeking ePHI is the one claimed. §164.312(d)Login requires a username and password.
Access to secure messages can be further protected by multi-factor authentication and an administrator-controlled Access Control List (ACL).
Transmission securityGuard against unauthorized access to ePHI transmitted over an electronic communications network. §164.312(e)(1)The highest level of TLS encryption available for data in transit, via our secure website or API.
TLS-protected SMTP with the optional REQUIRE TLS extension (IETF RFC 3207).
FTPS and SFTP with TLS for secure document transport to and from your servers.
Protection of ePHI at restEncrypt ePHI whenever deemed appropriate. §164.312(e)(2)(ii)Encryption is applied at each phase of processing and guarded by Access Control Lists.
AES-256 encryption of ePHI at rest to prevent disclosure from intrusion.
Application architecture and file-system controls govern access for external and internal users.
Data integrityEnsure data or information has not been altered or destroyed in an unauthorized manner. §164.304End-to-end encryption and decryption over TLS protect integrity in transit.
Signature protocols prevent tampering while data is en route.
Messages are securely archived on a central server after encryption.
Data availabilityEnsure data is available for use at all times by authorized recipients.An online backup option for all data at rest.
Redundant data centers and network paths provide always-on availability.
Audit controlRecord and examine activity in information systems that contain or use ePHI. §164.312(b)Audit logs of internal and external users are reviewed in real time to proactively detect and prevent issues.
ID and authorization required to enter, with biometric control of private-cloud areas.
Strictly controlled, logged, and audited third-party access.
24×7 guard staff and video/DVR surveillance.

WestFax brings comprehensive compliance support that includes FISMA High / NIST SP 800-53, HIPAA, PCI DSS Level 1, SOC 2 Type II, and SOC 3.

A BAA on every plan.

As your Business Associate, WestFax signs a Business Associate Agreement with every account — no upsell, no add-on. Need it countersigned or tailored? Our team can help.