Health Information Compliance Alert

Security:

Know The Facts About Faxing

Send the right messages with these simple tips

 
Faxing: You do it every day - but can you really be sure the number you just punched into your machine will reach its intended recipient? Errant faxes containing patients' PHI occur much more frequently than you may think. Following these tips will ensure your staff are sending the right messages:

GET YOUR POLICY IN GEAR 

First, make sure your organization has drawn up documented policies and processes detailing how faxes that contain protected health information are to be sent, and be sure to have your staff sign whatever policy you write.
 It's important that you create an auditable trail to keep track of when physicians migrate to different offices (and, hence, to different fax numbers). An auditable fax log is a great document to have in the event that an unauthorized disclosure occurs - say, if PHI is faxed to an incorrect location, notes Fred Langston, senior principal consultant with Guardent in Seattle. The fax log could be as simple as a sheet of paper placed next to your fax machine that includes the number, date and time the fax was transmitted. Make certain that your fax policy describes the way in which the fax log is used, he advises.
         
VERIFY THE NUMBER

Langston says having a procedure that verifies a physician's (or other recipient's) current location prior to sending your fax is the best action you can take to ensure a secure transmission.
 
But just how should you perform this verification? Call and verify the fax number personally prior to faxing any PHI, says Sharon Budman, University of Miami privacy ombudsman. She says it's up to the person sending the fax to verify the number is correct.
 

COVER YOURSELF WITH A COVER SHEET

Budman says the university has a fax cover sheet that contains specific disclaimers (see sample cover sheet). The cover sheet should include both receiver and sender information, contain a space for "special instructions" and include a "notice of disclosure" and a statement that the fax is intended only for the designated recipient named above.
 

PLACE MACHINES IN SECURE LOCATIONS

Prior to the creation of HIPAA, Budman says it was not uncommon to find fax machines in locations you would never think of, such as your waiting room areas. Now that's all changed, she claims. "The regulation requires that fax machines be located in secure areas now. For example, they should not be in open waiting areas or located in a hallway so that anyone could walk up to the fax machine and pull the data from it."
 

TRAIN YOUR PERSONNEL

Sure, faxing seems easy enough to do, but remember: One unauthorized disclosure of PHI could result in an enforceable offense for your organization. Budman says the university makes an effort to train its entire staff - that includes temporary employees - how to send faxes properly. "They need to [know how to] verify the number, they need to use a cover sheet before they fax the information and they need also to have proper authorization to fax, if applicable," she notes.
 
Budman says the university has HIPAA liaisons in each one of its clinical departments, and each liaison is responsible for the coordination of training with the privacy office for all of their employees.
 

RESOLVE ERRORS QUICKLY, QUIETLY

Accidents happen, and not addressing them quickly and efficiently is not only bad policy, but could also add salt to compliance-related wounds. If an incident occurs in which PHI is wrongfully disclosed, your sanctions policy - and, incidentally, you're required to implement one under HIPAA - will help to resolve staff errors or misconduct.
 
"With policies and procedures that are not followed, the employee and the divisional area are certainly subject to remediation in training. HIPAA dictates that covered entities have sanction policies on how to handle workforce employees who do not follow policy or uphold the law," says Budman.  
 
And remember: If a wrongful disclosure does occur, it's not necessary in every situation to inform the patient of your mistake. You don't want to needlessly anger a patient if your error can be resolved with no harm done. "If a disclosure of PHI is made, you want to do the best thing possible to protect the patient, but it depends on what was sent and who it was sent to. If you know to whom it was sent and you get [the document] back, get it back. If you don't know to whom it was sent, or you can't track it down and it contains sensitive medical information (e.g., HIV results), then you may need to notify the patient, in order to mitigate the damage. Check your state law about appropriate notification procedures for certain test results," says Barb Cluster, compliance auditor at Greene Memorial Hospital, Inc. in Xenia, OH.
 
Editor's Note: Think faxing errors aren't common? During the first week of October, Eli Research received an errant fax transmission containing a hospital patient's blood test results. The fax contained the patient's name, sex, social security number and much more identifying information.

More Tips! (For more guidelines on how to safeguard PHI when faxing, take a look at the 9 tips presented on "Guidelines for Using Fax Machines", this issue).