Over the years I’ve had a lot of organizations ask me about whether HIPAA applies to faxes, copy machines, and other types of specific technologies. It is very important that covered entities (CEs), business associates (BAs) and their subcontractors understand that HIPAA applies to protecting the information! It doesn’t matter what the conduit is for how the information is transmitted, or where it is stored or accessed from. The important point is that protected health information (PHI), in all forms, must be protected. The Security Rule applies to only electronic data, but the Privacy Rule and HITECH apply to all forms of PHI. Okay; let’s keep this in mind when considering the following question I got earlier this week from a HIPAA business associate…
I am going crazy trying to determine if sending a fax is covered under the act. I have a medical provider who wants us to send faxes to them instead of encrypted email to avoid HIPAA and HITECH. So, do HIPAA and HITECH cover faxing?
So, keeping in mind that HIPAA applies to the information, yes indeed, HIPAA and HITECH apply to information sent via fax! You must ensure you have appropriate policies, procedures and protections in place to address and feasibly mitigate the risks to PHI for how your organization sends, and receives, PHI via fax transmissions. Consider the risks.
1) Most stand-alone fax machines are no longer just paper-based point-to-point transmission devices that work over phone lines. Most fax machines now store the transmission of a fax as an electronic image within the fax machines; the one sending and the one receiving. So anyone with access to the machine could access the fax transmissions if the machine is not appropriately secured.
2) Many, perhaps most, faxes are now sent and received using fax servers, capable of storing literally millions of fax images. PHI within these fax servers have the same risks as data stored in fileservers. If someone can use or access a fax server, then they may also be able to access the faxes stored on the server if the access controls have not been set appropriately.
3) Since faxes now pass through networks (not just the Internet, but also corporate networks and business-to-business intranets) increasingly more often, they are vulnerable to unauthorized access through those networks. So if someone is sniffing the network traffic, they will be able to see unencrypted fax transmissions.
4) And the long-standing risk of having print faxes accessed inappropriately in a fax machine where it was received, or where someone sent a paper fax and didn’t take the document away after the transmission, still exists in large numbers of organizations.
You must address these risks if you are using fax transmissions for PHI, or for any other type of sensitive information for that matter. How to do this? At a high level:
1) Identify all the ways in which faxes are used to send and receive information within your organization, along with the associated risks.
2) Establish new policies, or update existing policies, to address and mitigate the identified risks.
3) Create detailed procedures to support the fax policies appropriate to each area where the faxes are sent and received.
4) Implement appropriate technologies to protect PHI and other sensitive information during fax transmissions and while in storage.
5) Provide regular training and ongoing awareness communications to personnel so they know the policies, and have access to the procedures to follow to ensure faxes are sent and received securely, while also meeting HIPAA, and other regulatory, compliance requirements.
Tags: Compliance Helper, fax, privacy rule, Rebecca Herold, security rule