It’s possible – if dozens of conditions and variables have been met and are actively being managed – including administrative, technical, and physical safeguards. HIPAA Compliance when faxing is not impossible, just highly improbable if either sender or recipient is still using a traditional fax machine, or eFAXing without a secure line.
Fax machines were once a staple in every well-equipped medical office. Today, traditional fax machines have largely been replaced by online eFAXing services or updated multi-function fax machines capable of sending and receiving digital files in addition to scanning physical documents for transmission. Despite these and many other improvements to old-school fax machine technology and transmissions – when it comes to HIPAA compliance – faxing is risky at best.
When sending PHI (Private Health Information) over regular fax lines, information can easily be seen by the wrong people or fall into the wrong hands, and even if these and other compliance issues are addressed, there are better options. First, a quick look at the rules.
HIPAA, HITECH, and the Impact of The Final Omnibus Rule
The final Omnibus rule significantly strengthens HIPAA enforcement, particularly with regard to business associates of covered entities. All covered entities must now establish assurance of compliance with any and all vendors and business associates that may process, have access or exposure to any PHI, essentially establishing an elaborate chain of custody in which everyone at every level is responsible for upholding HIPAA standards. Previously, vendors of covered entities would communicate adherence to these standards verbally and insist that, as they were not medical entities, they did not need to be compliant. In light of the final Omnibus rule, however, you need to sign a HIPAA Business Associate Agreement (BAA) with every vendor who may have access to any PHI.
“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office for Civil Rights Director Leon Rodriguez. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”
U.S. Dept. of Health & Human Services (2013) New rule protects patient privacy, secures health information [Press Release]. Retrieved http://www.hhs.gov/news/press/2013pres/01/20130117b.html
The Omnibus rules have also changed the standards for breach reporting. Previously, it was only necessary to report a breach if it was determined that there was a significant risk that the breach would harm the patient’s finance or reputation. Now, all breaches must be reported unless a risk analysis shows that there is a very low chance that the breached data will be improperly used.
So What Does All This Have To Do With FAXing?
Ultimately, with the final Omnibus rule in effect, traditional faxing presents a myriad of control issues and risks. The area of HIPAA that applies to faxes is the “Safeguards Principle.” This principal explicitly states, “Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.” Upholding this principal when faxing is tricky. Anyone with physical access to the phone line has access to the PHI transmitted via fax. There is no easy way to “secure” a regular fax unless both parties are able to encrypt and decrypt documents, which is both expensive and time consuming. The issue goes beyond unsecure phone lines, however. Fax machines often save copies of received faxes internally, which makes it possible for anyone with access to the fax machine to print out additional copies of the sensitive material. In addition, faxes are often left sitting on the fax machine for some time after they arrive, making sensitive information available to anyone who might happen to walk by. Ultimately, faxing medical information just isn’t a good idea.
Additional Options & Recommendations
Even if you can fax with relative confidence regarding security and HIPAA compliance (by using a secure phone line, for example), it still isn’t necessarily the best way of doing things. The bottom line is that faxing is outdated and there are now technologies out there that are easier to use, more secure, and much more efficient. Let’s take a look at some of the options.
- Email: Transmitting PHI directly through email is not acceptable. You may, however, attach a file that contains PHI, provided that it is encrypted or password protected. Using BxB Secure’s HIPAA Compliant email service is one of the best ways to ensure all your electronic communications are encrypted, secure and HIPAA Compliant.
- Web: Public websites or file shares are generally not recommended, as there is a high possibility that PHI could be posted or exposed accidentally. BxB Secure offers HIPAA Compliant Web Forms that will keep your patients PHI protected and your practice complaint.
- Electronic Fax Service: An electronic fax service is a kind of fax sent using an encrypted email attachment. The user encrypts the file by using the service’s proprietary program and then sends the encrypted file and the recipient’s fax number to the service. The service decrypts the file and sends it to the recipient as a traditional fax. An incoming fax also first goes through the service. It is initially delivered to the service, where it is encrypted and then sent to the recipient as an email attachment. Keep in mind that a BAA is absolutely crucial when using these services. This is often easier said than done, however, as not all of the services will provide a BAA and few offer one in the absence of a specific request. These kinds of services can also be quite pricey; many companies charge between 2 and 8 cents per page, in addition to monthly or annual subscription fees. Before committing to a service of this nature, you need to fully understand your fax volumes so you can accurately gauge the cost. Using BxB Secure’s HIPAA Compliant email service is a much simpler, easier to use and cost effective option to both traditional faxing and eFax service.
Bottom Line: FAXing is Risky
The bottom line is that even if you think you can fax with confidence regarding the technical, administrative, and physical security requirements –it’s an outmoded way to get the job done. You’re better off choosing a secure email service or a secure line message center. These kinds of services support automatic encryption between receiver and sender and work just like email. They are an easy way to coordinate communication between multiple parties, facilitate easy and efficient communication, and utilize familiar, easy-to-use features.