HIPAA-compliant faxing came to the forefront as HIPAA changed the way health care organizations send, receive, and manage confidential information. Previous hard-copy paper systems are considered insecure and a liability, so new alternatives for exchanging and tracking protected health information (PHI) are required.

Is faxing HIPAA-compliant?

Faxing itself is HIPAA-compliant because it’s an inherently secure, point-to-point medium. Fax lines (and most IP fax infrastructure) are considered conduits, meaning they carry PHI but do not access it. However, HIPAA compliance also requires safeguards before sending and after receiving faxes.

A main goal of HIPAA is that healthcare organizations create infrastructure and procedures—administrative, technical, and physical—to keep patient information away from unauthorized while transmitting it to authorized parties.

HIPAA does not prohibit the use of fax machines to communicate PHI. In fact, the point-to-point nature of fax makes it a great choices when EDI or secure portals aren’t feasible.

However, the information is subject to strict regulations that protect the privacy and security of the information both at the point of dispatch, during transit and at the point of delivery.

But what, exactly, does HIPAA require?

The statute usually refers to “reasonable” efforts, not technical specifications, so there’s no precise definition. However, best practices have emerged for faxing along with every other facet of HIPAA.

Here are a few of the most common.

  • All fax machines are to be placed in a secure area and are not generally accessible.
  • Only authorized personnel are to have access and security measures should be provided to ensure that this occurs.
  • Destination numbers are verified before transmission.
  • Recipients are notified that they have been sent a fax.
  • Include a cover-sheet clearly stating that the fax contains confidential health information, is being sent with the patient’s authorization, should not be passed on to other parties without express consent; and should be destroyed if not received by the intended recipient.
  • Any patient data should be in the fax body and not in any of the data fields.
  • Maintain a copy of the confirmation sheet of the fax transmission, including the necessary data such as time and recipient’s number.
  • Confirm fax delivery by phoning the recipient.
  • Received faxes are to be stored in a secure location.
  • Maintain transmission and transaction log summaries.

The above are not definitive, authoritative, or comprehensive; they’re not legal advice. Rather, they’re just some of the most common practices we’ve observed among healthcare organizations that fax regularly.

HIPAA risks with traditional fax methods

Manual faxing is fraught with risk. Despite one’s best intentions, it’s not realistic to uphold all the security measures above, among many others, 100% of the time.

For instance, consider the difficulty of systematically addressing any of the following risks, let alone all.

  • Incoming faxes need to be removed immediately from the output tray and distributed to the recipient to reduce the chance of an inappropriate use or disclosure.
  • Any pre-programmed fax numbers need to be validated periodically and regular fax recipients contacted regularly to ensure that the number has not changed.
  • The destination fax machine may be in a secure location but may still be accessible to a number of people.
  • The information in hard copy must be filed securely.

RightFax as a HIPAA-compliant fax service

RightFax is the leading fax server among healthcare providers and insurers alike. However, it can be difficult to implement effectively at a large scale.

Our Private Fax Cloud™ architecture is a fully managed, RightFax-based fax service for healthcare organizations. It facilitates HIPAA compliance by building a comprehensive audit trail and removing the manual variables from fax handling.

Whether you’re fortifying HIPAA compliance, considering fax-over-IP, or otherwise rethinking faxing, then we’re here to help you accomplish those compliance and workflow goals with RightFax.

Please contact us to schedule a free consultation with a solution architect.