Health Information Compliance Alert

Published on Fri Dec 13, 2019 PDF

Question: Our office is looking into switching over to electronic faxes exclusively. However, before we make the switch, I want to understand the best way to secure information that we send and receive. How do we protect inbound and outbound information faxed electronically?

Codify Subscriber>

Answer: Once a fax becomes electronic, it is considered electronic personal health information (ePHI). Therefore, you must develop proper access controls so that only authorized users can see that document.

Best practice: Store faxes on a central server where users can know that the intended fax recipient received the information. Ensure that the server is well-secured and protected. If you’re using an outside vendor, make sure the vendor is compliant with the HIPAA rules.>

“… the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules,” HHS Office for Civil Rights (OCR) says.>

Don’t forget that you’re responsible for protecting outbound faxes as well. A best practice: Establish a validation procedure so that if a patient asks you to fax her something, you can determine that it is an authentic request.>

Bottom line: What you don’t want is someone to just call up and obtain confidential information. Make sure that you have procedures in place to ensure that you send faxes to the right place. And when an e-fax is received, be sure it has the same protections as the rest of your ePHI.>