HIPAA – Health Insurance Portability & Accountability Act and how it applies to faxing
In 1996 Congress passed the Health Insurance Portability and Accountability Act (HIPAA). In Title II of the Act, privacy and information security guidelines are set which have made fax transmission one of the only methods secure enough for sending health records electronically.
E-mail is deemed unsecure for the most part because of the way messages are stored and how easily it is for someone to hack into email accounts from afar. To be HIPAA-compliant, a provider must be able to share medical information with appropriate safeguards. When it comes to faxing, HIPAA requirements mandate certain safeguards to make sure that information transmitted through faxing – including online faxing – is secure. Those requirements range from including a cover sheet to sending verifying destination numbers
THE TOP PROVIDERS OF HIPAA-COMPLIANT ONLINE FAX SERVICES
We have reviewed over two dozen of the top online fax brands on the market and consolidated our findings on this site. Use our comparison chart of the top HIPAA compliant services below to make a quick decision on the best online fax service for your needs.
Who Needs a HIPAA Compliant Fax Service?
Any business that transfers healthcare information and data will need a HIPAA compliant service. That includes healthcare professionals and providers, pharmacies, and insurance agencies.
Online faxing automatically includes several of the provisions required by HIPAA for secure online faxing; faxes are stored in your secure online account, many online providers maintain transaction logs, and there are no fax machines to move into secure areas.
HIPAA has a number of requirements for those who fax health records to make sure the information is protected. The HIPAA conditions that must be met include:
- All fax machines are to be placed in a secure area and are not generally accessible.
- Only authorized personnel are to have access and security measures should be provided to ensure that this occurs.
- Destination numbers are verified before transmission.
- Recipients are notified that they have been sent a fax.
- Include a cover-sheet clearly stating that the fax contains confidential health information, is being sent with the patient’s authorization, should not be passed on to other parties without express consent; and should be destroyed if not received by the intended recipient.
- Any patient data should be in the fax body and not in any of the data fields.
- Faxes are to be sent to secure destinations; i.e., the fax machine of the recipient must be in a secure location, accessible only by those authorized to receive the information.
- Maintain a copy of the confirmation sheet of the fax transmission, including the necessary data such as time and recipient’s number.
- Confirm fax delivery by phoning the recipient.
- Received faxes are to be stored in a secure location.
- Maintain transmission and transaction log summaries.
While the list of requirements to maintain HIPAA compliance may seem daunting, several Online Fax services are geared toward HIPAA standards and thus have already solved many of the security levels for you. For example, many online fax services maintain fax transmission and transaction log summaries automatically. They also store faxes for you in a secure place by putting them into your secure online dashboard terminal. Although there are still manual steps that need to be taken for full compliance (e.g. confirming fax delivery by phoning the recipient), secure online fax services can take the majority of the hassle out of following these regulations.
Click here to find answers to the Top 5 Frequently Asked Questions Regarding Virtual Faxing
What Does It Mean To Have a Business Associate Agreement?
A Business Associate Agreement (BAA) is a contract between a HIPAA covered entity – any organization or business that handles personal health information – and a business associate, which means any organization or person providing services to the HIPAA entity. The BAA ensures that the business associate (for instance, a fax provider) is accountable for protecting the personal health information it is handling or transmitting.
Some fax service providers offer HIPAA compliance, but won’t sign a BAA. Many of them maintain their compliance even without the BAA by acting as a simple conduit for information, meaning they are excluded from the definition of a business associate per HIPAA’s language.
eFax, for instance, asks HIPAA-regulated customers to sign a HIPAA Conduit setting specifically for transmission of sensitive data. That agreement ensures that RingCentral takes certain steps, including automatically deleting all messages and calls after 30 days, disabling SMS messaging, and disabling attachment of voicemail audio files and fax images to message notification emails. By adhering to those practices, the company is not technically handling patient data, and cannot be held liable for its security.
The conduit agreement RingCentral provides does allow them to claim HIPAA compliance without a BAA in place, although it makes some feel nervous not to have the extra safeguard in place.
With the new 2013 Omnibus modification to the HIPAA/HITECH Acts, more security and safeguards are required of anyone who transmits or handles patient health information. For some HIPAA-covered entities or businesses, it may be worth a close look at the fax provider’s policies and the updated HIPAA regulations to make sure HIPAA compliance is not in name only.
If you’re a business that handles patient documents, you can use a provider that won’t sign a BAA. However, if you do so, make sure you understand what safeguards are in place to ensure that the fax provider is indeed adhering to HIPAA regulations. For instance, simply saying a service offers “encryption” isn’t enough, since data must be encrypted both in transit and at rest to be HIPAA-compliant. The fax provider must also be able to show that it is not storing personal health information.
These online fax services will sign a Business Associate Agreement:
These services offer HIPAA compliant technology, but will NOT sign a Business Associate Agreement: