Question: Occasionally a client or patient requests faxed medical records. What are the HIPAA rules for faxing PHI? Maine Subscriber Answer: When you send protected health information (PHI), such as a portion of the patient’s medical record, you are responsible for protecting those outbound faxes. Proceed with caution: Your practice should establish a validation procedure, so that if a patient asks you to fax them or anyone else something, you can determine whether it is an authentic request; for example, verifying the requester’s identity and the destination fax number.
Regarding incoming faxes containing PHI, once a fax becomes electronic, it is considered electronic protected health information (ePHI). When you change the format, you’re required to develop proper access controls so that only authorized users can see that document. Best practice: You should store faxes on a central server where users have the ability to know that the intended fax recipient actually received the information. Ensure that the server is well-secured and protected. If you’re using an outside vendor, make sure the vendor is HIPAA-compliant. “The covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules,” according to HHS Office for Civil Rights (OCR). Bottom line: You must have procedures in place to ensure that you send faxes to the right place. Additionally, when you receive an electronic fax, be sure it has the same protections as the rest of your ePHI.