Many organizations, especially in the healthcare industry, have an urgent need to send important and sensitive information, like protected health information (what constitutes PHI?), to organizations via FAX (facsimile).
Why? Because this is how it has always been done, and everyone is “set up” to be able to handle FAXes quickly and efficiently.
Go back in time 10-15 years. Every doctor’s office and small business had one or more FAX machines for sending documents and pictures back and forth. It was essential technology that became ingrained into business processes through constant, repetitive use. Everyone knows how to use a FAX machine, even the most technologically challenged staff member.
Fast forward to now:
- Fax Machines have changed. They are now all-in-one devices that scan, print, copy, send files to your computer, and more. The “FAX” ability is now just a minor extra feature.
- HIPAA has arrived and evolved. It used to be that sending patient (ePHI) data via FAX was the norm. Now, it is perilous to send such private data over regular FAX lines, as it is easy for that process to break down and violate HIPAA. E.g. see this $2.5 million dollar law suite resulting from 1 fax message.
- Everyone has a computer or tablet. Most doctors and staff members have access to email, a HIPAA-secured computer or tablet, and familiarity with how to use them … and have been trained on best practices via the required HIPAA security training that everyone has to have now-a-days.
- Paperless offices. Workplaces have or are evolving to become paperless — everything is stored electronically. Regular FAXes are often disdained in favor or email; when regular FAXes do arrive, they are often scanned to electronic files and then destroyed.
- Low resolution. Faxes are low-resolution. They are slow and they do not contain a great amount of detail. They are not great for sending anything graphical.
Struggling to hold on to FAX
FAXing is “the way things are done”. At least, that is what many people think as that is what they are used to from times past. So they feel the need to have FAX ability on hand, in a HIPAA-compliant way. Its a square peg in a round hole issue.
In some health care offices, everyone still (yes, in 2017) relies exclusively on FAX; the do not use email or electronic communications at all. The send everything via FAX and they expect patients and other doctors to send them everything back back FAX. It is antiquated and cumbersome, but amazingly prevalent.
Without physical FAX machines, many folks end up finding some service, like eFax Corporate®, that is expensive and which provides HIPAA-compliant FAX. But what do most of those services actually do?
- You scan the documents into your computer.
- You send them electronically to their service.
- The recipient gets a notice that the FAX is waiting and a link to pick it up.
- The recipient picks up the document from the FAX provider’s secure web site
Can you tell me where “FAX” is actually part of that solution? Its not there at all… except maybe to use your FAX machine as a scanner or in the case where the recipient of theFAX actually uses a FAX machine. If the documents were actually FAXed normally, there are lots of privacy pitfalls … so even secure FAX companies try to avoid you doing that.
With HIPAA security regulations ever-present and evolving, there is a great concern as to if and when use of a FAX is really HIPAA compliant.
For electronic FAXing options, see: HIPAA Faxing: How to Send and Receive FAXes in a Secure and Compliant Way.
Beyond compliance issues, a FAX is not really useful — you essentially get a printout or an image and not an electronic document that can be efficiently used. It is not good for productivity or for meeting other standards.
Can data sent via FAX be “secure enough” for HIPAA?
You might think that the answer is simple “no”, unless the FAX is sent over some type of secured phone line. Why? Because anyone with physical access to the phone lines and some technical expertise can eavesdrop on phone calls and FAXes and thus obtain any protected health information by fax. It is acknowledged that sending email messages containing PHI insecurely is prohibited, so it follows that FAXing might also be “not a good idea”.
But, it turns out that “no” is too simple an answer and not practical or accurate.
How does HIPAA actually apply to FAXes?
The area of HIPAA that applies to FAXes is the “SafeGuards Principle“.
SAFEGUARDS PRINCIPLE: Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.
HIPAA is interesting in that it lays out many requirements, rules, and principles, but they are all flexible and do not prescribe specific practices or actions that must be taken. This permits organizations to “adequately” protect the privacy of PHI as appropriate to their circumstances.
With email, there are many physical, technical, and administrative safeguards that are easy to apply. Using end-to-end email encryption and good security policies is not difficult and is considered “low hanging fruit” on the path to meeting all of the HIPAA requirements. Since securing email is relatively easy, it becomes essentially mandatory under the Safeguards Principle — it is reasonable to take the straight-forward step of using email encryption to protect personal health information (PHI), especially with the significant insecurities of Internet use in general.
With FAXes, the situation is very different.
- There is no easy way to secure a “regular” FAX transmission between between two parties unless they are both setup with special encrypting fax machines or other special services. Few organizations have such tools. They are expensive, and to be useful, everyone must have compatible machines.
- Everyone already uses insecure FAX machines that talk over regular phone lines
- People are familiar with communication of protected health information (PHI) on an as needed basis verbally over the [insecure] phone.
- Use of these same [insecure] phone lines to send a FAX is not less secure than talking over the line.
- Most organizations have a strong business need to communicate using FAX.
Why are insecure phone lines and phone calls OK? Because :
- These have historically been “analog” and not digital communications. Analog communications do not fall under the HIPAA Security Rule and thus the protections are different. However, I thing it is debatable what, if anything, is “really” analog anymore…
- These communications go over “common carriers” … so a business associate agreement with the phone companies is not required.
Since speaking over insecure phone lines, when needed, is “OK” as far as HIPAA goes, how can a FAX be less secure?
- FAXes are often left on the FAX machine for some period of time after they arrive. This makes the sensitive information available to anyone walking by the machine.
- FAX machines often save copies of received FAXes internally. This makes it possible for anyone with access to the FAX machine to print out additional copies of the sensitive material.
- FAX machines generally print out the transmitted messages on paper. This paper, if not destroyed, could be placed in an insecure location.
- If the fax machine actually transmits the fax digitally anywhere (e.g. fax-to-email), then that digital transmission must be properly encrypted for HIPAA. Most fax machines do not support that; and most small offices do not bother to set this up securely even if it is possible for them.
What should you do to be HIPAA compliant?
Option #1: Don’t send any FAXes
This is probably not realistic for most organizations; however, it will guarantee that you are HIPAA compliant. It is, increasingly, the way to go these days — with it being easier and easier to send information over secure email or through other secure electronic means. Eliminating the paper trail and the insecure FAXes can be an important step in cleaning up your HIPAA risk analysis.
Option #2: Use sensible policies
If you decide its worth the risk to send FAXes over insecure phone lines, you should utilize sensible policies to mitigate the insecurities of the facsimile and help ensure that you are abiding by the Safeguards Principle in a reasonable manner. Some suggested policies include:
- Do not send PHI over FAX unless it cannot be sent over other, more secure, channels. I.e. delivery by hand, secure email, etc.
- Only send the PHI actually needed; do not send additional information.
- Always use a cover letter to prevent casual reading of the first page of the FAX.
- Use saved speed-dial numbers for common FAX recipients to prevent numbers being mis-dialed. Test these numbers periodically.
- For any new recipient, verify the FAX number with a test send of a facsimile before sending the actual protected health information.
- Develop policies on what to do if a FAX was sent to the wrong place. This can be a HIPAA breach.
- Configure your FAX machines to never save copies of sent or received FAXes
- Make sure that PHI FAXes never remain on the FAX machine after receipt, and that they are promptly delivered to the intended recipient.
- Develop policies on the storage, copying, and disposal of PHI FAXes.
- Locate your FAX machines in a secured room where only staff who are authorized to use ePHI that may be transmitted trough that machine can use access it.
- Use dedicated FAX machines for ePHI and keep it well separate and secured, compared to any other FAX machines in use.
Development of policies along these lines will help to mitigate security issues associated with FAXing. These guidelines are common in institutions having to abide by HIPAA … especially if they are not aware of better solutions.
Option #3: Send the FAX data via “Email”
If you search the internet for “Secure FAX” services, you will find many companies that advertise securing FAXing. Some of these vendors never actually describe security at all — they just get your attention with the “Secure” keyword. Some of them offer FAX services and instruct you to follow the steps described in Option #2 to make FAXes “secure”. The few that actually offer a truly secure FAX service do something like this:
- You access their web site using a secure (SSL) connection.
- You login and upload the materials to be “FAXed” (i.e. possibly after first scanning and saving it on your computer).
- You enter an email address and possibly a FAX number of the recipient.
- The pages that you are “FAXing” are encrypted and saved in a database at your FAX service provider.
- The “FAX” recipient gets an email or FAX notifying them that they have a “FAX” and that they need to go to a web site to “pick it up”.
- The recipient goes to the web site and downloads the “FAX” over a secure (SSL) web connection.
This transmission of information is secure end-to-end because:
- The transmission from the sender to the server is secured.
- The temporary storage is secured.
- The transmission from the server to the recipient is secured.
- An audit trail may be available to track the process, for improved compliance.
- Authentication of the sender and/or recipient may be present, for improved compliance.
This is obviously a more secure method of transmitting PHI than a classical FAX. However, the use of “FAX” in this process is really a misnomer. Except for some services which “FAX” the recipient a notice instead of an email notification, little actual FAXing is involved or many of the steps are short circuited and replaced with digital transmission over the internet. Many secure FAX services offer nothing more than a “drop off and pick up” process. However, for most purposes, that is the solution …. not the FAXing in and of itself.
LuxSci offers just this kind of drop off and pick up service as part of its SecureLine email encryption service — you can securely and compliantly transfer files to any organization using any email address. It’s easy to send and easy to pickup PHI and SecureLine is HIPAA compliant. It is not a “FAX” per-se, but it delivers the same result.
What is the right choice for you?
As with everything HIPAA — the choice is yours to:
- Abandon FAXes if you don’t need them frequently.
- Use FAXes with good policies if you have the demand, your staff can’t easily make electronic copies of the data, and/or if your recipients do not have email access.
- Use something like LuxSci’s SecureLine Escrow service if:
- you have introduced end-to-end email encryption for sending private information over the internet, or
- most of your PHI data is already digital or can be easily scanned, or
- most of your recipients use email and would prefer this data in a more useful format than a FAX, or
- the risk of breach due to continued insecure FAX usage is too great for your company’s HIPAA risk profile.
Unsure what to do?
Ask LuxSci: Have a Free Consultation with an Expert
Tags: document, facsimile, fax, hipaa, hipaa compliant, hipaa fax, hipaa security, phi, phone, protected health information, Safeguards Principle, secure, secure faxThis entry was posted on Tuesday, September 12th, 2017 at 7:30 am and is filed under LuxSci Library: HIPAA, Popular Posts. You can skip to the end and leave a response. Pinging is currently not allowed.
By Rick Brinegar, MHS
From Compliance Today, a publication for HCCA members
The Office for Civil Rights (OCR) website has information concerning a practice that faxed medical records to a patient’s employer instead of his new provider. Obviously, this was just a mistake that was made in the mad rush of day-to-day operations in healthcare.[i] The fact that we’re busy does not seem to bode well with the OCR, and the practice was required to take corrective action and deal with a very angry patient.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a difficult law to integrate within the operation of a healthcare organization but, in fact, it is here to stay. It’s much better to set down and develop a plan for HIPAA versus reacting, or overreacting, to a breach. One potential source of a breach is faxing, which does require all practice stakeholders to plan to help ensure there are few, or hopefully, no problems. For lack of a better way of saying it, faxing can be “dangerous” for HIPAA breaches, and because we do it during the rush of daily operations, the risk can go up. All it takes is someone to key one wrong digit, and your documents are somewhere you didn’t intend them to be.
Is faxing really necessary?
To reduce the chances of a breach, start by looking at what you actually are faxing. Does it really make sense to fax it, or would the traditional mail system work better, at least as far as possible breach? If you have a primary care setting, faxing referrals to specialists can be problematic. Consider implementing a No Fax policy (unless there are emergencies). One option for true emergencies is to give a “verbal approval” to the specialist with the understanding that the referral will be coming in the mail. For planned services, referrals could be mailed to patients or specialists as applicable. If you have been faxing PHI, such as to registries or government offices, inquire about mailing the documentation. You may find that the mail is just as acceptable, but faxing was done because it was easier, which was probably true prior to HIPAA.
Integrate faxing into busy days
Consider setting up a “To be faxed” bin somewhere close to the fax machine. The important thing here is not to fax during the mad rush of caring for patients, but carve out some time, probably at the end of the day, to fax anything you need. This will reduce the risk of keying the incorrect numerical digit, because our full attention is to the task at hand. Perhaps someone in the clerical area could assume this job by concentrating on the faxing all at once with minimal distractions.
Checking the accuracy of your fax numbers
I recommend checking to ensure that numbers you are faxing to are correct. This involves creating a sheet of your own that is faxed to each of your numbers (See Example 1 below). Fax the one page sheet to your fax contacts. On the sheet, ask if this number is still acceptable to receive protected health information (PHI). On the same sheet, ask the recipient to sign it, date it, and return to you. Although there is no hard and fast rule, I would recommend updating this information about once a year. Upon verification, these are the fax numbers that should be loaded into your fax machine as saved numbers. A word of caution: Don’t make the mistake of assuming that the fax numbers embedded in electronic medical records are necessarily correct either; a fax breach can occur from these as well.
Example 1: Fax cover sheet
A coversheet is must for faxing. Although the content of a narrative on a fax cover sheet is optional, it does help to use a few buzz words, and always make it easy for someone to contact you if they received the fax incorrectly. First of all, do not use the patient’s name or other PHI in the subject line on the fax cover sheet. I recommend listing a contact person and their phone number; it displays more of a sense of urgency if the incorrect fax is received. Further, by putting the “Important Notice” on the top of sheet, it stands out to the reader (See the Example 2 below).
Example 2: Fax cover sheet
Investigating a potential fax breach
Always make sure to follow all required regulations regarding the reporting of a breach; if unsure, contact your legal area. It is important for your organization to design a corrective action plan after the investigative process has concluded.
For our purposes, let’s look at some recommendations for investigating the potential fax breach:
- Call the person(s) who received the incorrect fax and ask them what they observed. Was it just the cover sheet or was PHI viewed?
- Interview the person who sent the fax from your healthcare organization. Was this a fax number that is always used and a number was misdialed? Was it a completely new fax number to your practice?
- Observe the faxing area of your healthcare organization. Is the area well managed and organized, or simply chaotic? Adding some structure to the area may be an element in the corrective action plan.
- Get feedback from other people who work in the immediate area for suggestions on how to improve the area where your faxes originate. Again, this may be good information for a corrective action plan.
By working with other impacted stakeholders you will find that a little prevention here will be very helpful to the organization’s compliance efforts. And because faxing is such a routine function, it might be helpful to add these processes to your compliance plan.
Rick Brinegar (firstname.lastname@example.org) is the Director of Professional Fees and Compliance HIPAA Officer for the University of Maryland Department of Obstetrics, Gynecology and Reproductive Sciences in Baltimore, MD.
[clickToTweet tweet=”Are You Faxing Your Way to a HIPAA Violation? @theHCCA” quote=”Are You Faxing Your Way to a HIPAA Violation?” theme=”style3″]
[i] DHHS: Office for Civil Rights: Health Information Privacy Enforcement Examples Involving HIV/AIDS. Available at http://www.hhs.gov/ocr/civilrights/activities/examples/AIDS/hiphiv/aidscases.html