Before there was widespread access to email and the Internet, fax machines in healthcare practices were a common and accepted way to expeditiously share patient information with other providers. Convenient, affordable, easy to use, it’s no wonder fax machines are still whirring in a lot of offices. Maybe even yours.
But with all the regulations now in place to ensure the privacy and security of Protected Health Information (PHI), many practices are wondering: Is information sent via fax HIPAA compliant?
In today’s blog I’ll answer that question, provide guidelines for a HIPAA compliant fax for those of you who aren’t quite ready to trade your fax machines for e-solutions, and I’ll also suggest a better way to go than continuing to fax.
“If I fax PHI, am I still HIPAA compliant?”
Unless they’re sent over a secure phone line, faxes can be intercepted by anyone with physical access to the lines and some technical expertise. So it might seem logical that HIPAA would prohibit the faxing of PHI. Not quite. Since having a conversation about a patient over an insecure phone lines, when necessary, is OK as far as HIPAA is concerned, so is faxing.
Why? HIPAA’s “Safeguards Principle” is the reason. This part of the law states, “Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.”
If you take “reasonable steps” to ensure the privacy and security of the faxes you send, you can continue to communicate with colleagues and other providers in this way.
Steps to safer faxing:
- Always use a cover letter
- To prevent numbers from being mis-dialed, use saved speed-dial numbers for recipients you fax frequently. Check those numbers regularly.
- For any new recipient, verify the number with a test email before sending PHI.
- Have policies in place for what to do if a fax is sent to the wrong number.
- Set up your fax machine to never save copies of faxes you send or receive.
- Make sure that faxes containing PHI are promptly delivered to the intended recipient.
- Have policies in place for storing, copying, and disposing PHI faxes.
- Place your fax machine in a secured room where only authorized personnel can access the PHI that’s received and transmitted there
- Designate a fax machine exclusively for PHI. Keep it separate from other fax machines in the office.
There are things — like the 9 above — that you have control over when faxing. But people on the receiving end might not be as conscientious as you and your staff. And in spite of your best efforts, patient information could be compromised — more so with a fax than with newer methods of transmission and security.
Avoid the risks. Send PHI some other way.
Today it’s easier and safer to send PHI quickly by using a good scanner and a HIPAA compliant email service. And because of that, it just makes sense to eliminate the paper trail faxes can leave behind. So do yourself and your practice a favor — let your old fax machine go the way of 8-track tapes, movie rental stores, and public pay phones. Retire it soon — and avoid the risks.