In the healthcare industry, medical practitioners need to take special precautions to ensure that the patient information they send through different channels is safe and secure. This applies to all manner of communications - phone, email, etc. Like many other industries, certain kinds of information can legally only be sent by fax. This is because faxing is a proven way of getting sensitive information to designated parties, if it is done the right way.
In this article, we will provide a review of what HIPAA compliant fax service is, why it is beneficial for the healthcare industry, and give tips on how to maintain HIPAA requirements while faxing.
What is HIPPA, and why was it created?
The Health Insurance Portability and Accountability Act is a law that Congress created in 1996 to create standards for the use of highly sensitive documents containing health information across the US. It is a function of the Department of Health and Human Services. The purpose of HIPAA is to prevent the disclosure of potentially sensitive information that patients might want protected.
HIPAA was created for the purpose of protecting all of the parties involved in the transmission of personal health information (PHI) from becoming liable for its disclosure. This includes healthcare professionals at all levels, as well as businesses related to the industry.
Specific purposes for HIPAA include the following:
- Creating specific standards for how information is to be maintained and transferred so that it is protected from disclosure.
- Putting the managing of information in the hands of patients, and establishing penalties for organizations that fail to comply.
- Ensuring the smooth continuation of insurance coverage for people who transition from one plan to another.
How does faxing fit into HIPAA constructs?
As in other industries, certain kinds of sensitive healthcare information cannot be sent over email. The risks of hacking and accidental exposure are simply too great, and email confidentiality cannot be guaranteed. Even if there is an email HIPAA disclaimer included, there are still risks involved, and you cannot ensure email HIPAA compliant. Therefore, faxing is a preferable alternative, but it needs to be carried out in a specific way in order to be fully secure.
HIPAA-compliant faxing is intended to make sure that fax reports both go to the intended fax number, and also that they are collected by the appropriate person. This applies both to the use of traditional fax machines, as well as sending faxes online from a cloud.
Companies that use faxes to send PHI must make their fax servers HIPAA compliant. This involves meeting the following criteria:
- Establishing a company-wide system whereby all administrative and physical equipment and processes are set up to keep patients’ information safe.
- Ensuring that information is protected at every point of its transmission, including the point of dispatch, during the sending process, and when it is received. Specifically, organizations need to ensure that:
- Incoming faxes are picked up immediately by a designated person so that they are not exposed to others. These people should be notified of incoming faxes before those faxes are sent.
- Fax numbers need to be programmed by senders and checked on a regular basis as it sometimes happens that numbers change. They should be verified before each fax is sent.
- Physical machines need to be kept in a specific location in the places where faxes will be sent.
- Once faxes are received, they must be put in a particular place that has been established as secure.
Cover sheet requirements
There are also specific requirements that govern the use of cover sheets, because of course cover sheets are the first things that will come out of any given fax, and the information that is on it is potentially readable by whoever sees the fax. Therefore, not only must PHI not be visible on cover sheets, but there are specific requirements that govern the type of information that must be included on them. While there is no official HIPAA cover sheet per se, participating entities must meet all of the HIPAA requirements in order to be in compliance. These include:
- The fax number and name, organization, and phone number of the intended recipient
- The fax number and name and organization of the sender
- The date and time that the fax were sent
- The patient’s name and reference number, if there is one
- A HIPAA-compliant fax disclaimer
Fax disclaimers must be very specific, mentioning the fact that there is confidential information enclosed that contains PHI and follows the HIPAA privacy rule. It must state that it is intended strictly for use by the intended recipients and that violation of these requirements is punishable by law. It must also request that the sender be notified of a fax’s receipt.
Requirements for receivers
When a designated party receives a fax, there are also requirements that they must meet. These include:
- Keeping a copy of the confirmation sheet that includes the time that the fax was sent, as well as the recipient’s number
- Confirming the receipt of the digital secure fax with the sender over the phone
- Storing the fax in a secure, pre-identified place after receiving it
- Retaining transaction and transmission log summaries
HIPAA compliant fax to email services
While traditional email cannot be relied upon alone to address security concerns, there are online software programs that can manage fax to email services and meet HIPAA compliant Internet fax requirements. With these programs, such as EveryFax, you will receive a virtual phone number from and to which you can receive faxes.
The way that these software programs work is the following: the documents that you email go through your virtual number to the fax number that you designate, as if from a physical machine. Faxes received follow a similar procedure. In this way, you have the ease of sending materials as if through traditional email, and the software takes care of the security concerns. This ensures the interoperability of faxing and receiving, regardless of your device type or location.
Penalties for violations
People or organizations who violate HIPAA compliant online faxing requirements are subject to penalties. Penalties are divided into “tiers,” depending on the severity of a given violation. These include the following:
- Tier 1 - Tier 1 violations are those in which a business or participating entity is not aware of the rules. If a business is found guilty of committing a Tier 1 violation, it can be fined anywhere from $100-50,000 per incident.
- Tier 2 - Tier 2 violations are those in which a business is aware of the violation they are committing, but in which the violation was out of the business’ control. These violations incur fines ranging from $1000-50,000.
- Tier 3 - Tier 3 violations are those in which businesses are determined to have been neglectful, but somehow made efforts to comply. These violations incur fines of $10-50,000.
What can participating entities do to better ensure compliance?
Given all of these specifications, it is clear that companies and other parties who hope to send HIPAA compliant faxes need to make every possible effort to ensure compliance. There are specific things that people can do to make their fax systems more secure, including HIPAA compliant fax to email:
- Keep track of where PHI is kept. As the use of clouds for storing data is becoming much more common across different industries, so too are healthcare organizations adopting this practice and fax storage protocols becoming more strict. As cloud fax services are generally secured with high-level encryption, the possibility of its being hacked is minimized. If your company still uses hard drives to store its data, you should move it to a cloud and use encrypted faxing through an online service.
- Keep your software and devices up to date. Software needs to be updated as soon as updates become available, because this is the only way that hackers can effectively be warded off. Updates often involve upgraded security features, and if they are not installed in a timely manner, software runs the risk of becoming vulnerable to a cyber attack. Experts recommend using SaaS to ensure that this is always carried out efficiently. Similarly, the devices that you use to store PHI on must be fully secure. This means that participating companies should use multi-factor authentication to enter into systems and/or the use of biometric identification to gain access.
- Create and maintain audit logs. Having an audit log means that businesses can keep track of all of the activities that take place on their networks. In order to be fully confident in HIPAA compliance across a given network, all of the businesses associated with it must maintain audit logs. HIPAA faxing audit trails should be stored for a minimum of six years. With the growth of AI, records can now be scanned more easily to detect unusual patterns.
Conclusion
Maintaining HIPAA compliance is complicated. Because of the high security risks in handling things like Electronic Medical Record Systems, it is essential that people handling such highly sensitive documents take every possible measure to protect the information included. To ensure your fax protocols HIPAA compliant, there are a long list of things that you will need to do to meet the rules. Getting an online program that meets all the requirements will help make the process much easier.
FAQ
How do I know if a service is really HIPAA compliant?
There are designated certifications that services have, such as HITRUST and HITECH. Look for these certifications, and check specific requirements against the HIPAA website.
If I am faxing medical records or signed Business Association Agreements, how can I be sure of their receipt online?
You will have a fax log that tells you the time and date that your fax was sent. These are produced automatically by online fax services.
Can I fax from any device or email type?
As long as the software that you choose to fax from allows for use by different devices, you shouldn’t have a problem. Check for compatibility before you buy one. Any email should work, as well as Outlook.