Oncology & Hematology Coding Alert

Reader Question:

Take These Steps to Protect ePHI

Question: My practice plans to switch over to exclusively using electronic faxes, but before we make this switch, I want to make sure that I understand how to secure the information that we send and receive. Do you have any advice for how we can protect inbound and outbound info that we fax electronically?
Texas Subscriber

Answer: First of all, once a fax becomes electronic, it is considered electronic personal health information (ePHI). You must develop proper access controls so that only authorized users can see that document.

Solution: Your practice should store faxes on a central server where users have the ability to know that the intended fax recipient actually received the information. Ensure that the server is well secured and protected. If you’re using an outside vendor, make sure the vendor is compliant with the Health Information Portability and Accountability Act (HIPAA) rules.

“… the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules,” U.S. Department of Health and Human Services Office for Civil Rights says.

Don’t forget: You’re also responsible for protecting outbound faxes as well. You must establish a validation procedure so that if a patient asks you to fax her something, you can determine that it is an authentic request.

Bottom line: Make sure that you have the proper procedures in place to ensure that you send faxes to the right place. And when an e-fax is received, be sure it has the same protections as the rest of your ePHI.