As many businesses upgrade to electronic fax, they should reevaluate their processes to ensure they meet HIPAA requirements. Failure to follow HIPAA rules can result in disruptions to your business, hefty fines, or worse.
The Health Insurance Portability and Accountability Act (HIPAA) consists of three rules that form its foundation. The first two rules restrict unauthorized people from accessing health records, while the third dictates what firms should do in the event of a data breach.
The HIPAA rules that govern protected health information (PHI) and electronic PHI (ePHI) are the privacy and security rules. The obligation to maintain compliance rests with the provider, not with the electronic health record vendor. Practitioners must comply with all local and state guidelines and HIPAA requirements.
The privacy rule applies to any entity that handles PHI in any format. Examples include healthcare providers, clearinghouses, insurers, and their business partners. Even businesses that do not keep EHR or other electronic files must still comply with the privacy rule.
This rule generally limits the use of protected health information to obtaining medical treatment or paying for it. For purposes other than treatment, entities must minimize their use of PHI. As part of the HIPAA requirements, all business associates are also required to maintain HIPAA compliance. Patients have the right to access their health information at any time and learn how entities with access to the PHI use the data.
The security rule applies to anyone who creates, transmits, receives, stores, or maintains ePHI. This rule governs how covered entities may use ePHI. The three main tenets of this rule are:
Availability: Patients can access their ePHI at any time.
Confidentiality: Only patients or other authorized persons have access to ePHI.
Integrity: Information in ePHI cannot be changed by unauthorized individuals or in unauthorized ways.
Identifying and mitigating security risks, ensuring employee compliance, and protecting against imminent data breaches or unauthorized disclosures are other aspects of the security rule. Consequently, the security regulation emphasizes network security, encryption, and other approaches to preventing data breaches.
The final aspect of HIPAA is the breach notification rule, which defines who covered entities must contact in the event of an unauthorized access to PHI or ePHI. Most entities must contact the affected individual or individuals, HHS, and sometimes the media.
According to HIPAA, healthcare clearinghouses, providers, and health plans must comply with these rules to protect patient information. In addition, any company working with covered entities and handling PHI or ePHI shall enter into a business associate agreement (BAA) and meet all HIPAA guidelines.
This means that any provider who faxes information that contains patient information will be covered under HIPAA. If the provider uses a cloud-based fax service to store or send patient information, that service will also need to comply with HIPAA requirements.
Whenever a covered entity or business associate sends or receives a fax containing individually identifiable information, HIPAA requirements must be followed. A covered item is information that can identify the patient such as a name, social security number, birth date, or address. It also includes information about a patient's physical and mental health conditions, treatment, and payment in the past, present, and future.
In the event you don't comply with HIPAA, you may be subject to a complaint or a breach. Many of these complaints are outside the jurisdiction of the Office of Civil Rights (OCR) and don't involve covered entities. These cases resolve quickly after the OCR reviews them and determines that no investigation is needed.
If the OCR determines that a possible violation of HIPAA occurred, it will open an investigation into the business. For cases of criminal violations of HIPAA, it will turn the case over to the Department of Justice (DOJ) for review.
If the OCR does find a HIPAA violation, it will resolve the matter with the covered entity in one of three ways:
Voluntary compliance is when a business voluntarily updates its security and prevents future violations within the time required by the OCR. Businesses that make the necessary changes during the time they have to notify the OCR of a breach or during the investigation will only receive technical assistance to ensure future compliance.
In the event that businesses fail to take corrective action within the specified time or do not take the necessary steps, OCR may impose penalties.
In some instances the OCR may require that the business be monitored by HHS for compliance for up to three years and pay a resolution agreement. For example, a medical practice was forced to pay $100,000 following a security breach for failure to conduct a risk assessment or take appropriate measures to reduce the risk of future breaches.
HIPAA mandates that covered entities that share PHI with third parties have a contract in place that protects the information and follows HIPAA guidelines. This contract is known as a business associate agreement.
Businesses who have a BAA with a covered entity do not need to be in the medical field. Examples of business associates might include:
- A freelance medical transcriptionist
- Lawyers who consult with covered entities and can access PHI or ePHI
- Accountants who may have access to PHI or ePHI from a covered entity
- Third-party health care claims processors
- Cloud-based companies that store or transmit ePHI, such as cloud fax services
- Any other third parties that may have access to ePHI or PHI in any capacity
The BAA guarantees that all business associates will only use the ePHI or PHI they have access to for approved and minimal purposes. Patients must sign an agreement to allow the covered entity to use their information in any other manner.
Online fax services, such as mFax, are HIPAA compliant because they implement high levels of security to protect ePHI. It is always wise to thoroughly review the security information of any cloud fax provider since not all will take the same measures to protect ePHI and other transmitted data.
First, mFax only allows authorized personnel to access transmitted data via a secure web portal that requires authentication to log on.
Furthermore, all transmitted and stored data undergoes 256-bit SSL and AES encryption with Transport Layer Security 1.2, keeping it secure throughout the delivery and receipt process. Encryption also assures that only those with authorized keys can decrypt the data.
To restrict access to the system, an administrative control can limit which IP addresses are allowed to log in. Automatic time-outs for idle sessions prevent unauthorized users from accessing information on shared computers. In addition, the system automatically creates audit trails of every IP address and user accessing the system.
No matter the type of faxes you send out, here are some basic security protocols to make sure your company's faxed information is secure, whether in paper or electronic format.
Cover sheets are vital for maintaining compliance. The cover sheet must indicate that the fax contains confidential information intended only for the recipient. In one case, the OCR found that a physician's office had sent information on the HIV status of a patient to their workplace fax number rather than their new provider. The OCR ordered the practice and provider to apologize to the patient, revise its cover sheet, and retrain its office staff for this accidental delivery.
While this practice was only required to make corrections to their methods, if an entity was investigated and failed to do so, the OCR could levy civil money penalties.
Remove faxed material from the fax machine tray as soon as it is completed to prevent it from being accessed by unauthorized personnel.
In cases of security breaches, the OCR will need to conduct an investigation. A detailed audit trail will help them to trace potential sources of the breach. HIPAA requires the creation of audit trails under the security rule for tracking who has access to ePHI.
Some machines, such as network-connected multifunction printers and fax servers, may not be secure. If the equipment includes a hard drive that stores faxes in a queue, confirm that the drive fully encrypts all data. When faxes remain on the hard drive unencrypted, the security rule could be violated since anyone with access to the hard drive could potentially read the faxes.
The same security concerns apply to open networks that connect to these devices. An open network and unencrypted hard drive on a multifunction printer could result in a security breach or a failure to meet HIPAA's requirements for transmission security of ePHI.
Traditional fax machines may leave sensitive information exposed. They also lack a comprehensive audit trail detailing who has accessed the information and when. Additionally, network-connected faxes or multifunction printers have security holes when they do not encrypt data on their hard drives, even if the devices ultimately send files over secure telephone lines.
Cloud fax is a more secure way to transmit information and to meet the requirements of the HIPAA fax rules, which apply to all PHI and ePHI.
When it comes to data security, businesses operating in regulated industries can’t trust their sensitive information to just anyone. You need a partner you can trust. The mFax platform was built for security.
With state-of-the-art encryption, full audit trails, and advanced user access controls, you can be sure all your faxes are safe and compliant.