Is FAXing really HIPAA Compliant?

September 12th, 2017

Many organizations, especially in the healthcare industry, have an urgent need to send important and sensitive information, like protected health information (what constitutes PHI?), to organizations via FAX (facsimile).

Why?  Because this is how it has always been done, and everyone is “set up” to be able to handle FAXes quickly and efficiently.

Go back in time 10-15 years.  Every doctor’s office and small business had one or more FAX machines for sending documents and pictures back and forth.  It was essential technology that became ingrained into business processes through constant, repetitive use.  Everyone knows how to use a FAX machine, even the most technologically challenged staff member.

Fast forward to now:

  1. Fax Machines have changed.  They are now all-in-one devices that scan, print, copy, send files to your computer, and more.  The “FAX” ability is now just a minor extra feature.
  2. HIPAA has arrived and evolved.  It used to be that sending patient (ePHI) data via FAX was the norm.  Now, it is perilous to send such private data over regular FAX lines, as it is easy for that process to break down and violate HIPAA.  E.g. see this $2.5 million dollar law suite resulting from 1 fax message.
  3. Everyone has a computer or tablet. Most doctors and staff members have access to email, a HIPAA-secured computer or tablet, and familiarity with how to use them … and have been trained on best practices via the required HIPAA security training that everyone has to have now-a-days.
  4. Paperless offices. Workplaces have or are evolving to become paperless — everything is stored electronically.  Regular FAXes are often disdained in favor or email; when regular FAXes do arrive, they are often scanned to electronic files and then destroyed.
  5. Low resolution. Faxes are low-resolution.  They are slow and they do not contain a great amount of detail.  They are not great for sending anything graphical.

Struggling to hold on to FAX

FAXing is “the way things are done”.  At least, that is what many people think as that is what they are used to from times past.  So they feel the need to have FAX ability on hand, in a HIPAA-compliant way.  Its a square peg in a round hole issue.

In some health care offices, everyone still (yes, in 2017) relies exclusively on FAX; the do not use email or electronic communications at all.  The send everything via FAX and they expect patients and other doctors to send them everything back back FAX.  It is antiquated and cumbersome, but amazingly prevalent.

Without physical FAX machines, many folks end up finding some service, like eFax Corporate®, that is expensive and which provides HIPAA-compliant FAX.  But what do most of those services actually do?

  1. You scan the documents into your computer.
  2. You send them electronically to their service.
  3. The recipient gets a notice that the FAX is waiting and a link to pick it up.
  4. The recipient picks up the document from the FAX provider’s secure web site

Can you tell me where “FAX” is actually part of that solution?  Its not there at all… except maybe to use your FAX machine as a scanner or in the case where the recipient of theFAX actually uses a FAX machine.   If the documents were actually FAXed normally, there are lots of privacy pitfalls … so even secure FAX companies try to avoid you doing that.

With HIPAA security regulations ever-present and evolving, there is a great concern as to if and when use of a FAX is really HIPAA compliant.

For electronic FAXing options, see: HIPAA Faxing: How to Send and Receive FAXes in a Secure and Compliant Way.

Beyond compliance issues, a FAX is not really useful — you essentially get a printout or an image and not an electronic document that can be efficiently used.  It is not good for productivity or for meeting other standards.

Can data sent via FAX be “secure enough” for HIPAA?

You might think that the answer is simple “no”, unless the FAX is sent over some type of secured phone line.  Why?  Because anyone with physical access to the phone lines and some technical expertise can eavesdrop on phone calls and FAXes and thus obtain any protected health information by fax.  It is acknowledged that sending email messages containing PHI insecurely is prohibited, so it follows that FAXing might also be “not a good idea”.

But, it turns out that “no” is too simple an answer and not practical or accurate.

How does HIPAA actually apply to FAXes?

The area of HIPAA that applies to FAXes is the “SafeGuards Principle“.

SAFEGUARDS PRINCIPLE: Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.

HIPAA is interesting in that it lays out many requirements, rules, and principles, but they are all flexible and do not prescribe specific practices or actions that must be taken.  This permits organizations to “adequately” protect the privacy of PHI as appropriate to their circumstances.

With email, there are many physical, technical, and administrative safeguards that are easy to apply.  Using end-to-end email encryption and good security policies is not difficult and is considered “low hanging fruit” on the path to meeting all of the HIPAA requirements.  Since securing email is relatively easy, it becomes essentially mandatory under the Safeguards Principle — it is reasonable to take the straight-forward step of using email encryption to protect personal health information (PHI), especially with the significant insecurities of Internet use in general.

With FAXes, the situation is very different.

  • There is no easy way to secure a “regular” FAX transmission between between two parties unless they are both setup with special encrypting fax machines or other special services. Few organizations have such tools. They are expensive, and to be useful, everyone must have compatible machines.
  • Everyone already uses insecure FAX machines that talk over regular phone lines
  • People are familiar with communication of protected health information (PHI) on an as needed basis verbally over the [insecure] phone.
  • Use of these same [insecure] phone lines to send a FAX is not less secure than talking over the line.
  • Most organizations have a strong business need to communicate using FAX.

Why are insecure phone lines and phone calls OK?  Because :

  1. These have historically been “analog” and not digital communications.  Analog communications do not fall under the HIPAA Security Rule and thus the protections are different.  However, I thing it is debatable what, if anything, is “really” analog anymore…
  2. These communications go over “common carriers” … so a business associate agreement with the phone companies is not required.

Since speaking over insecure phone lines, when needed,  is “OK” as far as HIPAA goes, how can a FAX be less secure?

  • FAXes are often left on the FAX machine for some period of time after they arrive.  This makes the sensitive information available to anyone walking by the machine.
  • FAX machines often save copies of received FAXes internally.  This makes it possible for anyone with access to the FAX machine to print out additional copies of the sensitive material.
  • FAX machines generally print out the transmitted messages on paper.  This paper, if not destroyed, could be placed in an insecure location.
  • If the fax machine actually transmits the fax digitally anywhere (e.g. fax-to-email), then that digital transmission must be properly encrypted for HIPAA.  Most fax machines do not support that; and most small offices do not bother to set this up securely even if it is possible for them.

What should you do to be HIPAA compliant?

Option #1: Don’t send any FAXes

This is probably not realistic for most organizations; however, it will guarantee that you are HIPAA compliant.  It is, increasingly, the way to go these days — with it being easier and easier to send information over secure email or through other secure electronic means. Eliminating the paper trail and the insecure FAXes can be an important step in cleaning up your HIPAA risk analysis.

Option #2: Use sensible policies

If you decide its worth the risk to send FAXes over insecure phone lines, you should utilize sensible policies to mitigate the insecurities of the facsimile and help ensure that you are abiding by the Safeguards Principle in a reasonable manner.  Some suggested policies include:

  1. Do not send PHI over FAX unless it cannot be sent over other, more secure, channels.  I.e. delivery by hand, secure email, etc.
  2. Only send the PHI actually needed; do not send additional information.
  3. Always use a cover letter to prevent casual reading of the first page of the FAX.
  4. Use saved speed-dial numbers for common FAX recipients to prevent numbers being mis-dialed.  Test these numbers periodically.
  5. For any new recipient, verify the FAX number with a test send of a facsimile before sending the actual protected health information.
  6. Develop policies on what to do if a FAX was sent to the wrong place.  This can be a HIPAA breach.
  7. Configure your FAX machines to never save copies of sent or received FAXes
  8. Make sure that PHI FAXes never remain on the FAX machine after receipt, and that they are promptly delivered to the intended recipient.
  9. Develop policies on the storage, copying, and disposal of PHI FAXes.
  10. Locate your FAX machines in a secured room where only staff who are authorized to use ePHI that may be transmitted trough that machine can use access it.
  11. Use dedicated FAX machines for ePHI and keep it well separate and secured, compared to any other FAX machines in use.

Development of policies along these lines will help to mitigate security issues associated with FAXing.  These guidelines are common in institutions having to abide by HIPAA … especially if they are not aware of better solutions.

Option #3: Send the FAX data via “Email”

If you search the internet for “Secure FAX” services, you will find many companies that advertise securing FAXing.  Some of these vendors never actually describe security at all — they just get your attention with the “Secure” keyword.  Some of them offer FAX services and instruct you to follow the steps described in Option #2 to make FAXes “secure”.  The few that actually offer a truly secure FAX service do something like this:

  1. You access their web site using a secure (SSL) connection.
  2. You login and upload the materials to be “FAXed” (i.e. possibly after first scanning and saving it on your computer).
  3. You enter an email address and possibly a FAX number of the recipient.
  4. The pages that you are “FAXing” are encrypted and saved in a database at your FAX service provider.
  5. The “FAX” recipient gets an email or FAX notifying them that they have a “FAX” and that they need to go to a web site to “pick it up”.
  6. The recipient goes to the web site and downloads the “FAX” over a secure (SSL) web connection.

This transmission of information is secure end-to-end because:

  1. The transmission from the sender to the server is secured.
  2. The temporary storage is secured.
  3. The transmission from the server to the recipient is secured.
  4. An audit trail may be available to track the process, for improved compliance.
  5. Authentication of the sender and/or recipient may be present, for improved compliance.

This is obviously a more secure method of transmitting PHI than a classical FAX.  However, the use of “FAX” in this process is really a misnomer.  Except for some services which “FAX” the recipient a notice instead of an email notification, little actual FAXing is involved or many of the steps are short circuited and replaced with digital transmission over the internet. Many secure FAX services offer nothing more than a “drop off and pick up” process.  However, for most purposes, that is the solution …. not the FAXing in and of itself.

LuxSci offers just this kind of drop off and pick up service as part of its SecureLine email encryption service — you can securely and compliantly transfer files to any organization using any email address.  It’s easy to send and easy to pickup PHI and SecureLine is HIPAA compliant.  It is not a “FAX” per-se, but it delivers the same result.

What is the right choice for you?

As with everything HIPAA — the choice is yours to:

  1. Abandon FAXes if you don’t need them frequently.
  2. Use FAXes with good policies if you have the demand, your staff can’t easily make electronic copies of the data, and/or if your recipients do not have email access.
  3. Use something like LuxSci’s SecureLine Escrow service if:
    1. you have introduced end-to-end email encryption for sending private information over the internet, or
    2. most of your PHI data is already digital or can be easily scanned, or
    3. most of your recipients use email and would prefer this data in a more useful format than a FAX, or
    4. the risk of breach due to continued insecure FAX usage is too great for your company’s HIPAA risk profile.

Unsure what to do?

Ask LuxSci: Have a Free Consultation with an Expert