" hipaa fax Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more
LUXSCI

Posts Tagged ‘hipaa fax’

Using Email for Online Faxing? It Must Be HIPAA-Compliant

Monday, September 30th, 2019

Many businesses use email and more recent forms of communication wherever they can, but there are still a number of use cases where organizations rely on the humble fax machine. These include legal discovery, sending medical records and a range of situations where a paper trail is important.

In certain circumstances, faxing can be an easy way to meet government regulations, while faxing can also be used to meet the communication needs of clients and customers. But faxing doesn’t have to be done through the same process as the old days – there are now a wide range of email fax services that make it easy to both send and receive faxes.

Although faxing predates the HIPAA regulations, organizations in the health industry and those that process ePHI will still need to be mindful of HIPAA law if they are using email to send online faxes.

Business Associate Agreements

If there is a chance that your organization may send protected health information to an online fax service, then both the faxing service and the email that you send the data from need to be HIPAA-compliant.

Not only does this mean that you need to find providers that specialize in abiding by the regulations, but your company will also need to sign a business associate agreement (BAA) with both of these entities.

BAAs are critical for any situation where ePHI is shared with a third party. They stipulate how the data will be handled, as well as how responsibility will be shared. If your company doesn’t have a BAA signed with both the HIPAA-compliant email provider and the online fax service, then any faxes that it sends will not be HIPAA-compliant, which could lead to incredibly hefty penalties.

Make Sure that Adequate Security Is in Place

Not only is a BAA required, but it’s important to make sure that email and fax service providers have all of the necessary measures to secure any ePHI that your organization may share with them. As a base, this can include technical measures like TLS, PGP and access control, among many others.

Physical, operational and administrative safeguards also need to be in place. Your organization could have all of the cutting edge security technology, but if its employees aren’t trained to use it properly, then it could all be useless.

HIPAA regulations require a holistic policy that lays out your organization’s overall approach to protecting patient data. This includes things like organization, administration, training, response plans and a whole host of measures that help to plug up any potential gaps.

Erring on the Safe Side

HIPAA regulations are complicated and it’s easy to end up on the wrong side of them, especially if your organization is combing technologies like faxing and email. HIPAA violations can lead to significant consequences, so it tends to be best to err on the safe side.

A good approach is to protect data by default, by using features like opt-out encryption rather than opt-in setups. Even if most of your online faxes don’t contain PHI or require safeguards, this approach can still help to protect against accidents.

Let’s say that a secretary spends most of their time sending online faxes that don’t need to be protected. If they weren’t protecting the data by default, then they could easily fall into the habit of sending all online faxes in this manner.

This could get dangerous in the few cases where the online faxes do contain protected health information. The secretary may accidentally send them off without protecting the data out of habit. Not only does this have the potential to expose the person’s data, but it could also lead to enormous HIPAA penalties.

Even though most data may not need to be protected, the risk of these devastating errors can make it worthwhile to safeguard everything, providing security in these exceptional circumstances. It’s also worthwhile to consider that PHI can be involved in messages without the sender realizing it.

Something as simple as a newsletter could inadvertently violate the regulations if it contained information about a disease and was only sent to patients who suffered from it. The patients’ contact details could potentially make it possible to identity them as individual sufferers, leading to a violation.

This is why it’s so important to err on the safe side and protect information even if it may seem unnecessary at first. There are a number of different traps that your organization can fall into when sending online faxes through email. By using HIPAA-compliant providers and taking a cautious approach, it can significantly reduce the risks, making it far less likely to face the devastating consequences that come alongside a violation.

Is FAXing really HIPAA Compliant?

Tuesday, September 12th, 2017

Many organizations, especially in the healthcare industry, have an urgent need to send important and sensitive information, like protected health information (what constitutes PHI?), to organizations via FAX (facsimile).

Why?  Because this is how it has always been done, and everyone is “set up” to be able to handle FAXes quickly and efficiently.

Go back in time 10-15 years.  Every doctor’s office and small business had one or more FAX machines for sending documents and pictures back and forth.  It was essential technology that became ingrained into business processes through constant, repetitive use.  Everyone knows how to use a FAX machine, even the most technologically challenged staff member.

IS a FAX really HIPAA compliant?

Fast forward to now:

  1. Fax Machines have changed.  They are now all-in-one devices that scan, print, copy, send files to your computer, and more.  The “FAX” ability is now just a minor extra feature.
  2. HIPAA has arrived and evolved.  It used to be that sending patient (ePHI) data via FAX was the norm.  Now, it is perilous to send such private data over regular FAX lines, as it is easy for that process to break down and violate HIPAA.  E.g. see this $2.5 million dollar law suite resulting from 1 fax message.
  3. Everyone has a computer or tablet. Most doctors and staff members have access to email, a HIPAA-secured computer or tablet, and familiarity with how to use them … and have been trained on best practices via the required HIPAA security training that everyone has to have now-a-days.
  4. Paperless offices. Workplaces have or are evolving to become paperless — everything is stored electronically.  Regular FAXes are often disdained in favor or email; when regular FAXes do arrive, they are often scanned to electronic files and then destroyed.
  5. Low resolution. Faxes are low-resolution.  They are slow and they do not contain a great amount of detail.  They are not great for sending anything graphical.

Read the rest of this post »

HIPAA Faxing: How To Send and Receive FAXes in a Secure and Compliant Way

Friday, May 6th, 2011

We have previously discussed how it may be OK according to HIPAA to send and receive FAXes with ePHI over standard analog phone lines.  See: Is a FAX document HIPAA-Secure?

However, we have observed that customers more and more wish to integrate FAXing with their computers, taking advantage of the “paper-free” office that is arriving most places.  Why should they have to print and manually fax things or receive FAXes on an old-fashioned FAX printer, when their computers have FAX capability?  Can that capability be used in a HIPAA-compliant way?

The answer is “Yes, you can”.  This article explains how and points out things to watch out for.

Read the rest of this post »

LUXSCI