Regulatory compliance
HIPAA compliance
HIPAA compliance for fax means protecting electronic protected health information (ePHI) under the HIPAA Security and Privacy Rules — encryption in transit and at rest, strict access controls, audit logging, and a signed Business Associate Agreement with every vendor that touches the data. WestFax meets or exceeds both rules as your Business Associate, bringing the safeguards that support your compliance, with a BAA included on every plan.
The matrix
The HIPAA compliance matrix
Here’s how WestFax addresses each HIPAA rule, requirement, and safeguard.
| HIPAA rule | Requirement | WestFax assurance |
|---|---|---|
| Privacy Rule | Defines the covered entities and other entities that may handle ePHI, and sets Business Associate requirements. §164.305(a) | WestFax meets or exceeds the requirements of both the Security Rule and the Privacy Rule. As a Business Associate, we maintain the policies and procedures as well as the physical and technical safeguards that support your compliance. |
| Security Rule | Technical safeguards — the technology plus the policies and procedures for its use — that protect ePHI and control access to it. §164.304 | WestFax addresses each area of concern with modern technology and resilient systems design, and actively manages and audits its systems for security and incident response. Compliance support spans FISMA High / NIST SP 800-53, HIPAA, PCI DSS Level 1, SOC 2 Type II, and SOC 3. |
| Physical security | Securing processing resources to prevent unauthorized access, theft, or destruction. §164.312(a)(1) | Systems are deployed in secure SOC 2-compliant data centers. 24×7 guard staff and video/DVR surveillance of the facility and server cages. ID and authorization required to enter, with extra biometric control of private-cloud areas. Strictly controlled, logged, and audited third-party access. |
| Access control | Technical policies and procedures that allow ePHI access only to authorized persons or software programs. §164.308(a)(4) | ePHI is isolated to servers and storage in the WestFax private-cloud environment. Software and systems require user passwords. |
| Unique user identification | Assign a unique name and/or number for identifying and tracking user identity. §164.312(a)(2) | Usernames are unique and every session that provides access to data is authenticated. Password-complexity policies prevent passwords from being guessed or compromised. User-activity logging captures access and activity. |
| Automatic log-off | Terminate an electronic session after a predetermined time of inactivity. §164.312(a)(2)(iii) | Applications automatically log out idle users after a specified period. Access and permissions are reaffirmed each time the application is reopened. “Remember me” features are disabled to remove the risk of password compromise. |
| Person or entity authentication | Verify that a person or entity seeking ePHI is the one claimed. §164.312(d) | Login requires a username and password. Access to secure messages can be further protected by multi-factor authentication and an administrator-controlled Access Control List (ACL). |
| Transmission security | Guard against unauthorized access to ePHI transmitted over an electronic communications network. §164.312(e)(1) | The highest level of TLS encryption available for data in transit, via our secure website or API. TLS-protected SMTP with the optional REQUIRE TLS extension (IETF RFC 3207). FTPS and SFTP with TLS for secure document transport to and from your servers. |
| Protection of ePHI at rest | Encrypt ePHI whenever deemed appropriate. §164.312(e)(2)(ii) | Encryption is applied at each phase of processing and guarded by Access Control Lists. AES-256 encryption of ePHI at rest to prevent disclosure from intrusion. Application architecture and file-system controls govern access for external and internal users. |
| Data integrity | Ensure data or information has not been altered or destroyed in an unauthorized manner. §164.304 | End-to-end encryption and decryption over TLS protect integrity in transit. Signature protocols prevent tampering while data is en route. Messages are securely archived on a central server after encryption. |
| Data availability | Ensure data is available for use at all times by authorized recipients. | An online backup option for all data at rest. Redundant data centers and network paths provide always-on availability. |
| Audit control | Record and examine activity in information systems that contain or use ePHI. §164.312(b) | Audit logs of internal and external users are reviewed in real time to proactively detect and prevent issues. ID and authorization required to enter, with biometric control of private-cloud areas. Strictly controlled, logged, and audited third-party access. 24×7 guard staff and video/DVR surveillance. |
WestFax brings comprehensive compliance support that includes FISMA High / NIST SP 800-53, HIPAA, PCI DSS Level 1, SOC 2 Type II, and SOC 3.
A BAA on every plan.
As your Business Associate, WestFax signs a Business Associate Agreement with every account — no upsell, no add-on. Need it countersigned or tailored? Our team can help.
