Is a FAX document HIPAA-Secure?
Many organizations, especially in the healthcare industry, have an urgent need to send important and sensitive information, like protected health information (what constitutes PHI?), to organizations via FAX (facsimile).
Why? Because this is how it has always been done, and everyone is “set up” to be able to handle FAXes quickly and efficiently.
However, with HIPAA security regulations ever-present, our clients are concerned that their use of FAX is compliant, similar to making sure that their email and web sites meet HIPAA security standards.
Update – for electronic FAXing options, see: HIPAA Faxing: How to Send and Receive FAXes in a Secure and Compliant Way.
Beyond compliance issues, a FAX is not really useful — you essentially get a printout or an image and not an electronic document that can be efficiently used. This is not good for productivity or for meeting other standards.
Can data sent via FAX be “secure enough” for HIPAA?
You might think that the answer is simple “no”, unless the FAX is sent over some type of secured phone line. Why? Because anyone with physical access to the phone lines and some technical expertise can eavesdrop on phone calls and FAXes and thus obtain any protected health information by fax. It is acknowledged that sending email messages containing PHI insecurely is prohibited, so it follows that FAXing might also be “not a good idea”.
But, it turns out that “no” is too simple an answer and not practical or accurate.
How does HIPAA actually apply to FAXes?
The area of HIPAA that applies to FAXes is the “SafeGuards Principle“.
SAFEGUARDS PRINCIPLE: Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.
HIPAA is interesting in that it lays out many requirements, rules, and principles, but they are all flexible and do not prescribe any specific practices or actions that must be taken. This permits organizations to “adequately” protect the privacy of PHI as appropriate to their circumstances.
With email, there are many physical, technical, and administrative safeguards that are easy to apply. Using end-to-end email encryption and good security policies is not difficult and is considered “low hanging fruit” on the path to meeting all of the HIPAA requirements. Since securing email is relatively easy, it becomes essentially mandatory under the Safeguards Principle — it is reasonable to take the straight-forward step of using email encryption to protect personal health information (PHI), especially with the significant insecurities of Internet use in general.
With FAXes, the situation is very different.
- There is no easy way to secure a “regular” FAX transmission between between two parties unless they are both setup with special encrypting fax machines or other special services. Few organizations have such tools. They are expensive, and to be useful, everyone must have compatible machines.
- Everyone already uses insecure FAX machines that talk over regular phone lines
- People are familiar with communication of protected health information (PHI) on an as needed basis verbally over the [insecure] phone.
- Use of these same [insecure] phone lines to send a FAX is not much less secure than talking over the line.
- Most organizations have a strong business need to communicate using FAX.
Since speaking over insecure phone lines, when needed, is “OK” as far as HIPAA goes, how can a FAX be less secure?
- FAXes are often left on the FAX machine for some period of time after they arrive. This makes the sensitive information available to anyone walking by the machine.
- FAX machines often save copies of received FAXes internally. This makes it possible for anyone with access to the FAX machine to print out additional copies of the sensitive material.
- FAX machines generally print out the transmitted messages on paper. This paper, if not destroyed, could be placed in an insecure location.
- If the fax machine actually transmits the fax digitally anywhere (e.g. fax-to-email), then that digital transmission must be properly encrypted for HIPAA. Most fax machines do not support that; and most small offices do not bother to set this up securely even if it is possible for them.
What should you do to be HIPAA compliant?
Option #1: Don’t send any FAXes
This is probably not realistic for most organizations; however, it will guarantee that you are HIPAA compliant. It is, increasingly, the way to go these days — with it being easier and easier to send information over secure email or through other secure electronic means. Eliminating the paper trail and the insecure FAXes can be an important step in cleaning up your HIPAA risk analysis.
Option #2: Use sensible policies
If you decide its worth the risk to send FAXes over insecure phone lines, you should utilize sensible policies to mitigate the insecurities of the facsimile and help ensure that you are abiding by the Safeguards Principle in a reasonable manner. Some suggested policies include:
- Do not send PHI over FAX unless it cannot be sent over other, more secure, channels. I.e. delivery by hand, secure email, etc.
- Only send the PHI actually needed; do not send additional information.
- Always use a cover letter to prevent casual reading of the first page of the FAX.
- Use saved speed-dial numbers for common FAX recipients to prevent numbers being mis-dialed. Test these numbers periodically.
- For any new recipient, verify the FAX number with a test send of a facsimile before sending the actual protected health information.
- Develop policies on what to do if a FAX was sent to the wrong place. This would be a HIPAA breach.
- Configure your FAX machines to never save copies of sent or received FAXes
- Make sure that PHI FAXes never remain on the FAX machine after receipt, and that they are promptly delivered to the intended recipient.
- Develop policies on the storage, copying, and disposal of PHI FAXes.
- Locate your FAX machines in a secured room where only staff who are authorized to use ePHI that may be transmitted trough that machine can use access it.
- Use a dedicated FAX machine for ePHI and keep it well separate and secured, compared to any other FAX machines in use.
Development of policies along these lines will help to mitigate security issues associated with FAXing. These guidelines are common in institutions having to abide by HIPAA … especially if they are not aware of better solutions.
Option #3: Send the FAX data via “Email”
If you search the internet for “Secure FAX” services, you will find many companies that advertise securing FAXing. Some of these vendors never actually describe security at all — they just get your attention with the “Secure” keyword. Some of them offer FAX services and instruct you to follow the steps described in Option #2 to make FAXes “secure”. The few that actually offer a truly secure FAX service do something like this:
- You access their web site using a secure (SSL) connection.
- You login and upload the materials to be “FAXed” (i.e. possibly after first scanning and saving it on your computer).
- You enter an email address and possibly a FAX number of the recipient.
- The pages that you are “FAXing” are encrypted and saved in a database at your FAX service provider.
- The “FAX” recipient gets an email or FAX notifying them that they have a “FAX” and that they need to go to a web site to “pick it up”.
- The recipient goes to the web site and downloads the “FAX” over a secure (SSL) web connection.
This transmission of information is secure end-to-end because:
- The transmission from the sender to the server is secured.
- The temporary storage is secured.
- The transmission from the server to the recipient is secured.
- An audit trail may be available to track the process, for improved compliance.
- Authentication of the sender and/or recipient may be present, for improved compliance.
This is obviously a more secure method of transmitting PHI than a classical FAX. However, the use of “FAX” in this process is really a misnomer. Except for some services which “FAX” the recipient a notice instead of an email notification, no actual FAXing is involved. Secure FAX services offer nothing more than a “drop off and pick up” process. However, for most purposes, that is the solution …. not the FAXing in and of itself.
LuxSci offers just this kind of drop off and pick up service as part of its SecureLine email encryption service — you can securely and compliantly transfer files to any organization using any email address. It’s easy to send and easy to pickup PHI and SecureLine is HIPAA-secure. It is not a “FAX” per-se, but it delivers the same result.
What is the right choice for you?
As with everything HIPAA — the choice is yours to:
- Abandon FAXes if you don’t need them frequently.
- Use FAXes with good policies if you have the demand, your staff can’t easily make electronic copies of the data, and/or if your recipients do not have email access.
- Use something like LuxSci’s SecureLine Escrow service if:
- you have introduced end-to-end email encryption for sending private information over the Internet, or
- most of your PHI data is already digital or can be easily scanned, or
- most of your recipients use email and would prefer this data in a more useful format than a FAX, or
- the risk of breach due to continued insecure FAX usage is too great for your company’s HIPAA compliance requirements