Using Email for Online Faxing? It Must Be HIPAA-Compliant

September 30th, 2019

Many businesses use email and more recent forms of communication wherever they can, but there are still a number of use cases where organizations rely on the humble fax machine. These include legal discovery, sending medical records and a range of situations where a paper trail is important.

In certain circumstances, faxing can be an easy way to meet government regulations, while faxing can also be used to meet the communication needs of clients and customers. But faxing doesn’t have to be done through the same process as the old days – there are now a wide range of email fax services that make it easy to both send and receive faxes.

Although faxing predates the HIPAA regulations, organizations in the health industry and those that process ePHI will still need to be mindful of HIPAA law if they are using email to send online faxes.

Business Associate Agreements

If there is a chance that your organization may send protected health information to an online fax service, then both the faxing service and the email that you send the data from need to be HIPAA-compliant.

Not only does this mean that you need to find providers that specialize in abiding by the regulations, but your company will also need to sign a business associate agreement (BAA) with both of these entities.

BAAs are critical for any situation where ePHI is shared with a third party. They stipulate how the data will be handled, as well as how responsibility will be shared. If your company doesn’t have a BAA signed with both the HIPAA-compliant email provider and the online fax service, then any faxes that it sends will not be HIPAA-compliant, which could lead to incredibly hefty penalties.

Make Sure that Adequate Security Is in Place

Not only is a BAA required, but it’s important to make sure that email and fax service providers have all of the necessary measures to secure any ePHI that your organization may share with them. As a base, this can include technical measures like TLS, PGP and access control, among many others.

Physical, operational and administrative safeguards also need to be in place. Your organization could have all of the cutting edge security technology, but if its employees aren’t trained to use it properly, then it could all be useless.

HIPAA regulations require a holistic policy that lays out your organization’s overall approach to protecting patient data. This includes things like organization, administration, training, response plans and a whole host of measures that help to plug up any potential gaps.

Erring on the Safe Side

HIPAA regulations are complicated and it’s easy to end up on the wrong side of them, especially if your organization is combing technologies like faxing and email. HIPAA violations can lead to significant consequences, so it tends to be best to err on the safe side.

A good approach is to protect data by default, by using features like opt-out encryption rather than opt-in setups. Even if most of your online faxes don’t contain PHI or require safeguards, this approach can still help to protect against accidents.

Let’s say that a secretary spends most of their time sending online faxes that don’t need to be protected. If they weren’t protecting the data by default, then they could easily fall into the habit of sending all online faxes in this manner.

This could get dangerous in the few cases where the online faxes do contain protected health information. The secretary may accidentally send them off without protecting the data out of habit. Not only does this have the potential to expose the person’s data, but it could also lead to enormous HIPAA penalties.

Even though most data may not need to be protected, the risk of these devastating errors can make it worthwhile to safeguard everything, providing security in these exceptional circumstances. It’s also worthwhile to consider that PHI can be involved in messages without the sender realizing it.

Something as simple as a newsletter could inadvertently violate the regulations if it contained information about a disease and was only sent to patients who suffered from it. The patients’ contact details could potentially make it possible to identity them as individual sufferers, leading to a violation.

This is why it’s so important to err on the safe side and protect information even if it may seem unnecessary at first. There are a number of different traps that your organization can fall into when sending online faxes through email. By using HIPAA-compliant providers and taking a cautious approach, it can significantly reduce the risks, making it far less likely to face the devastating consequences that come alongside a violation.