Posts

HIPAA Compliance and Business Associate Agreements

/in /by
Screen shot 2014-12-02 at 12.46.02 PM

image via Creative Commons

For some businesses faxing on a regular basis, security and regulations play a role in determining which provider to use. That’s especially true for medical fields, which must comply with the Health Information Portability and Accountability Act (HIPAA). While several several online fax service providers provide HIPAA-compliant services, only some enter into what’s called a Business Associate Agreement. So what does your business need to know about Business Associate Agreements if you’re looking for a HIPAA-compliant service?

What a HIPAA Business Associate Agreement Does

A Business Associate Agreement (BAA) is a contract between a HIPAA covered entity – any organization or business that handles personal health information – and a business associate, which means any organization or person providing services to the HIPAA entity. The BAA ensures that the business associate (for instance, a fax provider) is accountable for protecting the personal health information it is handling or transmitting.

Once the HITECH Act of 2009 went into effect, and again when it and HIPAA were modified in 2013, business associates became subject to more stringent guidelines. Business associates working with HIPAA-covered entities are now subject to audits by the Office for Civil Rights, which oversees HIPAA. Business associates can be held accountable for data breaches, and penalized for noncompliance.

What That Means When It Comes To Fax Service Providers

Some fax service providers offer HIPAA compliance, but won’t sign a BAA. Many of them maintain their compliance even without the BAA by acting as a simple conduit for information, meaning they are excluded from the definition of a business associate per HIPAA’s language.

RingCentral, for instance, asks HIPAA-regulated customers to sign a HIPAA Conduit setting specifically for transmission of sensitive data. That agreement ensures that RingCentral takes certain steps, including automatically deleting all messages and calls after 30 days, disabling SMS messaging, and disabling attachment of voicemail audio files and fax images to message notification emails. By adhering to those practices, the company is not technically handling patient data, and cannot be held liable for its security.

The conduit agreement RingCentral provides does allow them to claim HIPAA compliance without a BAA in place, although it makes some feel nervous not to have the extra safeguard in place.

“If you use a cloud-based service, it should be your business associate,” David Holtzman of the U.S. Health and Human Services Department’s Office for Civil Rights, Privacy Division, said in this Yahoo small business article. “If they refuse to sign, don’t use the service.”

With the new 2013 Omnibus modification to the HIPAA/HITECH Acts, more security and safeguards are required of anyone who transmits or handles patient health information. For some HIPAA-covered entities or businesses, it may be worth a close look at the fax provider’s policies and the updated HIPAA regulations to make sure HIPAA compliance is not in name only.

If you’re a business that handles patient documents, you can use a provider that won’t sign a BAA. However, if you do so, make sure you understand what safeguards are in place to ensure that the fax provider is indeed adhering to HIPAA regulations. For instance, simply saying a service offers “encryption” isn’t enough, since data must be encrypted both in transit and at rest to be HIPAA-compliant. The fax provider must also be able to show that it is not storing personal health information.

If that sounds like too many potential loopholes, then it may be best to seek out a fax provider that does offer to sign a BAA. Below is a list of services that do and do not sign BAAs:

These online fax services will sign a Business Associate Agreement:

These services offer HIPAA compliant technology, but will NOT sign a Business Associate Agreement:

Sending Documents By Fax Versus Email: Which Is Better?

/in /by

Screen-shot-2014-07-29-at-3.10.29-PM

In today’s digitally-driven business world, many people ask, “why fax at all ?” If online fax services give an email address the ability to send and receive faxes, why not just send an email? It’s a reasonable question.

While it may seem that there’s little difference between sending a document via online fax versus sending it as an email attachment, there are some specific nuances that do make the two methods very different. And for some industries, those differences mean sending documents via fax – online or traditional – is still the preferred choice.

Medical Security

Online faxing and traditional faxing are both key to medical fields because they offer a way to send and receive patient information that’s compliant with the Health Insurance Portability and Accountability ACT (HIPAA). While email isn’t strictly prohibited under the HIPAA Security Rule as a means to send electronic patient health information, it’s much harder to ensure that patient information is adequately protected when sent by email. Therefore, faxing has become the preferred method for sharing patient information by medical professionals.

Several online fax services offer specific HIPAA-compliant features, which include various levels of safeguards: the services act as a Business Associate, which means they are qualified to send messages and content related to personal health information; they use encryption; and they use firewalls to ensure network security.

When You Need A Signature, Fast

The medical field isn’t the only industry that relies on faxing – financial services, law offices, and real estate professionals are also big fans of the fax. Some industries, like student loan providers, say they would lose track of communications if they came in over email. Many lawyers also use fax machines because some courts accept fax signatures in place of original signatures, but don’t accept signature copies sent via email. Faxes also offer confirmation of receipt, which can be important if a lawyer needs legal proof that a recipient actually received a fax.

And the fax has its moment in the spotlight every February when high school athletes send their letters of intent to colleges and universities on National Signing Day.

Online fax services can also send documents to standard fax machines. That’s key for lawyers or Realtors, who need documents signed. Esigning features on many online fax services mean “documents that need an immediate signature or response can be sent online, then signed electronically, and returned straight away,” says an eFax blog.

One thing that may change faxing’s advantage over email, at least when it comes to security concerns, is encrypted email. Email encryption software can make emails more secure and in some cases make emailed transmissions compliant with certain security requirements. Some policy-based filters automatically encrypt emails that are sent from employees’ accounts, and most work across platforms popular business applications.

Nonetheless, it seems that for businesses that want hard copies, are sold on the extra security of faxing, or need signatures exchanged quickly, the fax still holds the advantage over email.

Top Large Volume Online Fax Services with HIPAA Compliance

/in /by

Screen shot 2014-08-05 at 7.37.01 PM

When you’re choosing the right online fax service for your company, it helps to narrow things down by looking at services based on your specific needs. Fortunately, there are plenty of services out there that offer a range of features. Here, we take a look at large volume fax plans that offer Health Insurance Portability and Accountability Act (HIPAA) compliance. While encryption and security are often included in online fax plans, HIPAA regulations adhere to a specific set of guidelines. The following services offer both large volume plans, and comply with HIPAA regulations.

  • SRFax is a user friendly, HIPAA compliant fax service that will also sign Business Associate Agreements on request. They offer several different pricing plans, the largest of which is the Business 2500 plan that includes 2,500 sent and received fax pages for $39.95 per month or $329.40 per year (effectively $27.45 per month).

SRFax also has a Business 1500 plan that includes 1,500 pages for $29.95 per month or $287.40 per year (effectively $23.95 per month).

For companies that need more than 2,500 fax pages per month, SRFax offers customized plans that are quoted individually via the contact form on their corporate fax solutions page.

SRFax doesn’t charge a setup fee and offers a 60 day free trial to test their services.

  • FaxAge is another online fax provider that offers several large volume plans, all with HIPAA compliance. Its “Toll-Free 1500” plan runs $19.95 per month, and includes 750 incoming pages and 750 outgoing pages for unlimited users. If your business sends a large number of faxes and prefers a toll-free number, this is a good plan.

FaxAge’s “Small Office” plan gives you 5,000 pages in and 400 pages out for $29.95 a month. While that plan is somewhat less flexible than others, it’s a great option if you know you’re only going to be sending a moderate number of faxes compared with what you’ll need to receive.

FaxAge also offers two Unlimited plans: “Unlimited Inbound,” which for $19.95 a month gives you 5,000 incoming pages and 0 outgoing pages, and “Unlimited” for $64.95 a month, which includes 5,000 total incoming and outgoing pages.

All of FaxAge’s plans are HIPAA compliant, and include unlimited storage of sent and received faxes and the ability to preview faxes before sending. Local numbers are available in 48 states, and primary customer support is U.S.-based. However, FaxAge’s plans do not include a free trial, and do include a $5 start up fee.

  • (HelloFax removed their HIPAA compliance option) HelloFax’s “Small Business” plan is HIPAA compliant and includes 1,000 total pages to unlimited users for $39.99 per month, or $33.33 per month with an annual prepayment.

HelloFax’s pros include the ability to eSign documents from your browser, a 30-day free trial, and the ability to preview faxes before sending. Cons include no phone support and no mobile apps, and a relatively high price for the number of pages included in the plan.