In most health care provider offices, fax machines are as ubiquitous as stethoscopes. And while many people might wonder why — after all, the traditional fax machine seems somewhat antiquated in today’s world of email, cloud services, and mobile applications — there are actually some very good reasons that fax machines are so common.
While HIPAA includes certain restrictions on how Personal Health Information (PHI) can be collected, stored, it makes a clear distinction between the privacy of PHI and the security of PHI. Under HIPAA security rules, PHI that is transmitted via fax is not considered the same as information transmitted via electronic communication. The HIPAA security rules only apply to data that has been created, received, transmitted, or maintained electronically. In other words, if a doctor wants to share notes about a meeting with a patient, and those notes were handwritten on a sheet of paper, they can legally be faxed to an authorized party under HIPAA — even if the fax is not secured.
Clearly, there are some issues with this, and while technically such communications are allowed by HIPAA, they aren’t necessarily secure. This is because:
Most fax machines are connected to standard phone lines, which can be easily hacked and communications intercepted. Encrypted fax transmissions are a possible solution, but require both the sender and the receiver to have the encrypted machines and encryption codes.
When faxes arrive, they often sit on the machine for a period before the recipient retrieves them. It’s possible for dozens of people to see the fax before it reaches the intended recipient.
Many fax machines actually store copies of the faxes received internally, making it possible for anyone with access to the machine to print received faxes.
What makes the traditional faxing process even more cumbersome and insecure for many provider offices is that often, the information that is sent via fax becomes electronic, when staff enters the information into a database or electronic health record by hand or via scanning, thereby changing it to information that must be secured under the HIPAA electronic PHI rules. All of this, in addition to the cumbersome and time intensive process of using a traditional fax machine, has many providers wondering how they can send PHI and still maintain HIPAA compliance.
Cloud Faxing Solutions
One solution to the faxing-HIPAA compliance dilemma is a secure cloud faxing solution. These solutions give providers more flexibility when sending faxes, while also increasing the overall security of the PHI they contain.
The process of cloud faxing is simple: The sender prepares the transmission much like an email, entering the recipient’s fax number and attaching the documents. The fax is then encrypted and sent to a secure server, which then decrypts the message and delivers it to the fax machine. For incoming faxes, the sender sends the fax to your number, but the service encrypts it and delivers it to your inbox as a secure email attachment.
While such services share some similarities to email, there are some distinct advantages. First, senders can send PHI that has been created or stored electronically (like EMRs) via fax and still remain in compliance with HIPAA security rules, something that would be more difficult with a traditional fax.
Second, cloud faxing is safer than email. Email is vulnerable to viruses, phishing attacks, and hacking, making it dangerous to send PHI via email. A cloud fax service offers a secure portal to a dedicated cloud server, so even if the provider’s office is infected with a virus, the information sent by fax is still secure.
Thirdly, cloud faxing removes some of the paper trail that is inherent in traditional faxing. Many times, information that needs to be faxed is printed to be sent, and then when it is received, it’s printed again and then scanned into another electronic system. Not only is this cumbersome, but it creates two additional paper copies of sensitive information, which then need to be either securely stored or destroyed.
Finally, cloud faxing also helps improve the mobility of providers. When providers can receive faxes via secure email, there is less downtime waiting for important information, and patients can be seen and cared for more quickly. This might, in fact, be the greatest benefit to cloud faxing: The improvement of patient care.
Of course, not all cloud and Internet faxing solutions are the same, and it’s important for HIPAA-covered entities to choose carefully. Look for a provider who specifically outlines their security measures and HIPAA compliance tactics. And since cloud faxing vendors will have access to sensitive information, you will need to choose one who will sign a Business Associate Agreement, essentially agreeing to be bound by compliance rules as well. However, the legwork will be well worth it when your practice is both more secure and more efficient, as well as more compliant with HIPAA.