Faxing Your Way to HIPAA Violations?
by Donna Koger, 4.11.18
If you are still faxing PHI, your practice may be in serious danger of HIPAA non-compliance and all that entails.
When you send a fax via a telephone line, it is NOT secure. Anyone on the other end can intercept the document and view PHI not intentioned for them. Faxing can be “dangerous” for HIPAA breaches, because we may do it during the rush of daily operations when the risk can go up. All it takes is someone to key one wrong digit, and your documents are somewhere you didn’t intend them to be. Have you ever sent a fax to the wrong destination? A seemingly innocent mistake that could cost your organization a great deal of money in the long run. Is it worth it?
The Privacy Rule allows covered health care providers to share protected health information for treatment purposes without patient authorization, as long as they use reasonable safeguards when doing so.
These reasonable safeguards may vary depending on the mode of communication used. For example, when faxing protected health information to a telephone number that is not regularly used, a reasonable safeguard may involve a provider first confirming the fax number with the intended recipient. Similarly, a covered entity may pre-program frequently used numbers directly into the fax machine to avoid misdirecting the information.
If you MUST use fax communication, here are some safeguards to follow:
1. Never let incoming faxes sit on publicly available fax machines.
When faxing protected documents, never leave the machine until the transmission is complete and call the recipient to ensure that their fax machine is in a protected location and out of the public’s line of sight.
2. Dump your manual fax machine and use a HIPAA compliant cloud fax service.
This will save you money, make it easier to manage sending and receiving faxes, and provides the added document security of encryption technology when sending and storing faxes. Make sure your cloud fax service encrypts all your documents and allows enhancements from inside their secure data center, rather than on your device.
3. Always use cover pages.
It is a HIPAA requirement that you use a cover sheet with the approved HIPAA statement when transmitting PHI. If your cloud fax provider adheres to HIPAA rules, they will make a cover page a standard part of the workflow when sending a fax.
Be sure to use a Confidentiality Statement on your fax cover sheets when sending patient information. The following is an example of an approved Confidentiality Statement:
The documents accompanying this facsimile transmittal are intended only for the use of the individual or entity to which it is addressed. It may contain information that is privileged, confidential and exempt from disclosure under law. If the reader of this message is not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you are not the intended recipient, you are hereby notified that law strictly prohibits any disclosure, copying, distribution or action taken in reliance on the contents of these documents. If you have received this fax in error, please notify the sender immediately to arrange for return of these documents.
In order to be HIPAA compliant, your fax cover sheet should also include the following items:
- Date and time sent
- Name of recipient
- Recipient’s fax number
- Sender’s name and organization
- Sender’s phone number
- HIPAA fax disclaimer
4. Keep an audit trail.
If you don’t have an accurate audit trail of every activity that occurred with each patient document, then you are susceptible to fines associated with non-compliance. Cloud faxing does this automatically, and a good one will provide access to every document version from inside the application, so you can view all activity.