HIPAA Faxing: How To Send and Receive FAXes in a Secure and Compliant Way
We have previously discussed how it may be OK according to HIPAA to send and receive FAXes with ePHI over standard analog phone lines. See: Is a FAX document HIPAA-Secure?
However, we have observed that customers more and more wish to integrate FAXing with their computers, taking advantage of the “paper-free” office that is arriving most places. Why should they have to print and manually fax things or receive FAXes on an old-fashioned FAX printer, when their computers have FAX capability? Can that capability be used in a HIPAA-compliant way?
The answer is “Yes, you can”. This article explains how and points out things to watch out for.
Getting Started: Use a HIPAA-Compliant FAXing Solution
You need to use an electronic FAXing service, such as eFax Corporate®, which provides HIPAA-compliant FAXing services. Be sure that service you choose offers you a “Business Associate Agreement” as this is required by HIPAA HITECH (eFax Corporate® does offer this — but you have to explicitly ask them for it and they don’t mention it on their site).
Receipt of HIPAA Inbound FAXes Electronically
- Are sent by the FAX sender (not at your organization)
- Arrive to your “FAX” over regular analog phone lines. This step does not have to be encrypted.
- Your “FAX” is a special computer at your Electronic FAX Service Provider where it is kept secure by their HIPAA compliance standards.
- Your FAX service provider delivers the FAX securely to you electronically:
Picking up the Secure FAX at their web site will always be an easy and secure way to do things, presuming their website is secure (https://).
Having them forward the FAX to your email will only be HIPAA compliant IF:
- Your email service supports TLS for inbound email delivery, and
- Your email service itself is fully HIPAA compliant — most email service providers do not meet this criteria — providing secure, compliant service together with a signed Business Associate Agreement.
As far as “step #1” being HIPAA compliant, remember:
- If the FAX is sent from a normal analog FAX line, it doesn’t have to be encrypted.
- If the FAX is sent by someone who is not a Covered Entity or Business Associate of one (i.e. sent by an individual), then HIPAA does not apply to what they do
- If the FAX IS sent by someone who is a Covered Entity or Business Associate of one and they are not using an analog FAX line, then it is their responsibility to ensure that they are sending the fax in a compliant way.
Sending Outbound HIPAA FAXes Electronically
If you would like to send a compliant FAX electronically (i.e. not by using your analog FAX machine), then you can either:
- Login to your Electronic FAX Service Provider’s website and send the FAX from there over an encrypted connection (SSL).
- Send the FAX from your email
As before, sending through their secure site will always work. To send through your email, you would:
- Compose the FAX in your email
- Send the email to a special email address that contains the destination FAX number. I.e. if you wanted to send a FAX to “1-800-888-9999” though eFax Corporate®, you might send an email to “firstname.lastname@example.org”.
- Your email email program would connect securely to your email servers to deliver the message there.
- Your email servers would connect using TLS to eFax Corporate®’s email servers and deliver the message securely to them.
- They would connect to the destination FAX system over analog phone lines.
In addition to needing secure connections between your computer and email provider, and your email provider needing to guarantee that TLS is used when delivering your FAX to your Electronic FAX Service Provider, HIPAA also requires that you have a Business Associate Agreement with your email provider and that your service with them meet HIPAA Security and Privacy standards.
Archival of FAXes
Folks interested in HIPAA compliance are often also in need of archival for things like email and FAXes. By having your faxes come and go though your email system, you can take advantage of email archival services to also archival all of your FAXes.
- Using an Electronic FAX company like eFax Corporate®, which provides HIPAA compliance is a good way to go.
- Using their secure web portal is a quick and easy way to have HIPAA compliant FAXing, even if your email is not compliant.
- You can send and receive secure FAXes with your email if your email is also HIPAA compliant.
Watch out though!
- “Almost Compliant?” Many electronic FAXing companies (unlike eFax Corporate®) have not caught up all the way with the current HIPAA HITECH requirements. I.e. while they may mention “HIPAA” they do not provide signed Business Associate Agreements and thus they probably do not follow all of the practices required for HIPAA, yet. By using such a service, you will not actually be compliant yourself.
- “Recipient Security:” When sending ePHI over FAX, that data typically ends up being transmitted over insecure analog phone lines and sitting in plain sight on some FAX machines. While this itself is not exactly non-compliant, it is certainly in a gray area. You should consider carefully if the lessening of security this affords is appropriate to your business and its compliance needs. This is something you need to answer for yourself.