Back to Articles

mFax Security Measures and HIPAA Compliance


 All healthcare providers must stay updated on HIPAA requirements and what is needed to comply. Failing to do this leaves the provider open to civil and criminal penalties, some of which can be incredibly severe. When it comes to faxing, online fax services provide robust security measures, helping healthcare providers comply with all HIPPA requirements when transmitting data. The following resources are available to help providers learn more about the security concerns with sending faxes, how online faxing can help, and how to stay on top of the latest in HIPPA changes to comply with all regulations now and in the future.

HIPAA guidelines

All healthcare providers must keep up to date on HIPAA guidelines. HIPAA was initially created in 1996 as a way to help improve the ability of people to obtain and keep health insurance, as well as to combat waste, fraud, and abuse within the healthcare industry. It also helped promote medical savings accounts.

As time went on, HIPAA expanded to include privacy and security rules. The Privacy Rule was put into place in 2003. This rule covered what protected health information (PHI) included and how the PHI would be handled. Th rule also included instructions on disclosing PHI, when permission to use PHI would be needed, and how patients could withhold information from health insurance providers if they privately funded their treatment.

Since HIPAA was initially enacted, it has gone through many changes. Some are minor and involve changing or updating the language used, while other changes, like creating the Privacy Rule, are major. Healthcare providers should be aware of minor and major updates, and should make sure they understand how these updates can impact them. By visiting the US Department of Health and Human Services website, healthcare providers can learn more about the current laws and the latest updates to HIPAA.

Sending Faxes and HIPAA

Faxing has been a mainstay of the healthcare industry for many years now. Faxing initially became mainstream when it started using telephone lines in the 1960s, and it wasn't long before it became widely used throughout the medical community. Healthcare providers who were on different systems or had other methods for record-keeping could easily and quickly send information about a patient to another provider. Though there are potential issues with sending faxes the traditional way, this was the best in technology at the time and made it easier for specialists to work together to treat patients.

The biggest issue with faxing is that it's incredibly easy for HIPAA violations to occur. Fax machines must be in a secured location, faxes must be removed from the machine and stored as soon as they arrive, and providers must ensure they have the correct fax number before sending the fax to avoid private medical information being sent somewhere it isn't intended. Healthcare providers will want to look into how their fax machines and sending faxes could break the law to ensure compliance. Or, they may want to opt for online faxing, which can be more secure when the right provider is used.

Using Digital Faxes for a More Secure Option

Instead of using a fax machine and risking the variety of issues that come with it, healthcare providers today are opting to send faxes digitally. With the right online fax provider, it is possible to stay on top of HIPAA Compliance and Security, significantly reducing the risk of mistakes that could be HIPAA violations. Providers like mFax have robust security protocols to protect patients' privacy and help providers comply with all current HIPAA regulations. As HIPAA changes, digital faxing can easily adjust to the new regulations and keep all data secure. Healthcare providers will want to review the compliance and security options for mFax to see how it can help them prevent violations.

Creating a Notice of Privacy

Since the introduction of PHI in the HIPAA regulations, providers have been required to let patients know how their private information will be used. The notice of privacy offers patients the ability to make sure information is used correctly and avoid it being used in certain situations. It also allows patients to dictate who can view their private information and restricts the viewing to healthcare providers and any named person, like a trusted family member.

When creating a notice of privacy, healthcare providers will want to make sure the privacy notice complies with updated HIPAA regulations. It is essential to tailor the privacy practice as needed while still ensuring it includes everything necessary to comply with HIPAA regulations. Healthcare providers can view a model notice of privacy to see how to create one of their own and what should be included in it.

Business Associate Contract Sample

Healthcare facilities often contract with various businesses for many different services. For any vendor or any other company the facility works with, a contract is needed to protect the privacy of patients. Healthcare providers need to make sure the contract details what can and can't be done,by the vendor or other contractor. Healthcare providers will want a contract they can use with any business they work with, regardless of the type, to make sure privacy laws are understood and followed. Any providers who need to create this type of contract can view a sample business associate contract and see the language used to create one that complies with HIPAA regulations.

HIPPA Cover Sheets When Faxing

One of the requirements for faxing includes using a coversheet when sending a fax. This way, if the fax is not picked up from the fax machine in time, no one will be able to glance and see any private information. With digital faxing, cover sheets are still in use, as they provide valuable information about what the fax contains without stating any confidential information on the initial page. Healthcare providers will want to make sure they have everything needed in the cover sheet to comply with HIPAA. They can do this by checking out free templates for cover sheets.

How Encryption Can Help Healthcare Providers

When sending digital faxes, all information should be encrypted. If there is a breach or someone can gain access to the fax, the encryption will stop them from being able to view or use the information. Basically, encryption changes the data so it cannot be accessed without the correct key – something that a hacker will not have available to them. By encrypting the digital fax when it is sent and any information contained in the fax that will be stored in the cloud, it's possible to prevent hackers from being able to steal a patient's private information.

Healthcare providers do not need to understand encryption fully, but it is still a good idea to learn the basics of how it works and how it can help protect data being sent or stored online. With this knowledge, healthcare providers can make sure they are fully compliant with HIPAA whenever they send or receive a digital fax. Providers can check out an article on what encryption is and how it works to understand the security measures in place better to protect data online.

Security Risk Assessment Tool

Security risks are a concern for healthcare providers. Even if they take patient privacy seriously, as they should, and comply with all HIPAA regulations, there is a chance of a security breach or other issues that lead to a violation. Providers must keep on top of the risks for their facility and know what to do to minimize those risks. Unfortunately, with how everything is connected today, knowing the risks and how to reduce them isn't as easy as it used to be. However, healthcare providers can use a security risk assessment tool to help.

Downloadable from the HealthIT government website, the tool is designed to make it easy to do a risk assessment for healthcare providers. All information is stored locally, so there is no risk of data loss or privacy violations through using the program. Nothing is sent or received through the program, preventing any potential breach that may occur when using the software. Once used, the healthcare provider can view the results of the assessment in a report that is designed to help showcase what risks there are and what can be done to mitigate them. The information can then be used to help minimize any potential risks the healthcare provider faces.

In the Event of a Breach

Healthcare facilities have been under attack from hackers in the past, and it's something that will happen again in the future. When hackers gain access to a healthcare facility's computer system, however, they shouldn't be able to access any personal information. According to HIPAA regulations, protected health information should be unusable, unreadable, or indecipherable to anyone not authorized to access it. It is possible to do this by encrypting the data when it is stored and completely eliminating physical or digital copies when they are no longer needed.

If a breach does happen and someone gains access to unprotected PHI, the healthcare provider must report it as quickly as possible. The Department of Health and Human Services has released a guide for healthcare providers detailing how to submit a notice of a breach if it impacts fewer or more than 500 individuals. This guide also includes a link that makes it easy to report breaches, helping healthcare providers stay on top of the issue.

How Complaints about Violations are Processed

When a patient believes their personal information has been used in a way that does not comply with HIPAA, they can create a complaint. The Department of Health and Human Service's Office for Civil Rights (OCR) Department reviews any compliance regarding HIPAA violations. When a violation is reported, it is reviewed, and the OCR determines if it does not fall under HIPAA or if it is a possible rule violation. They may also decide it is a potential criminal violation and send the information to the Department of Justice.

If the complaint does lead to the discovery of a HIPPA violation, there may be an investigation. At that point, the OCR can work to find the correct resolution to handle the issue. Potential resolutions could include various decisions based on what was found and what the OCR believes needs to be done next. Understanding how complaints about violations are handled is critical, so the Department of Health and Human Services has released a flow chart of the complaint process for healthcare providers to review.

HIPPA Violations – What Happens?

There are various ways for HIPAA violations to be handled, depending on the violation itself and whether the healthcare provider satisfactorily complies with the corrective actions or resolution agreements. In cases where the violation may be a criminal issue under HIPAA guidelines, the information about the complaint can be passed to the Department of Justice for review. For all other cases, the OCR handles the review and resolution process.

In most cases, OCR will try to work with the healthcare provider to comply with HIPAA, to do any corrective actions needed to fix the issues and to come to an agreement for other resolutions that may be required. If the healthcare provider doesn't take action or has willfully failed to comply with HIPAA regulations, they may be required to pay a fine. Healthcare providers should understand the violation process and potential penalties, and can view more information about how OCR enforces HIPAA.

Healthcare providers today have tons of resources to turn to when they have questions or concerns about HIPPA compliance and security. These are a few of the top resources that may be beneficial for providers who need to understand more about HIPAA regulations or who want to be able to easily find more information when it’s needed. When it comes to faxing patient information, providers will want to work with a digital fax service that complies with all HIPAA regulations to avoid the potential for any violations. Healthcare providers can feel at ease when sending or receiving faxes, knowing that the information is secure and that risks are low.