Fax Facts
Guidance:
Although fax equipment and software can enhance the quality of
healthcare by facilitating rapid transmission of clinical information,
this same equipment and software opens up the possibility that
information will be misdirected or intercepted by individuals
to whom access is not intended or authorized. Most federal regulatory
requirements such as HIPAA, the Medicare Conditions of Participation,
and the Confidentiality of Substance Abuse Patient Records do
not specifically address the use of fax equipment or copies. AHIMA's
practice brief on Facsimile
Transmission of Health Information provides some guidance.
OCR's December 2002 final modified Privacy Rule Guidance answers
the question, "Can a physician's office FAX patient medical
information to another physician's office?"
Response: The Privacy Rule permits physicians to disclose
protected health information to another health care provider for
treatment purposes. This can be done by fax or by other means.
Covered entities must have in place reasonable and appropriate
administrative, technical, and physical safeguards to protect
the privacy of protected health information that is disclosed
using a fax machine. Examples of measures that could be reasonable
and appropriate in such a situation include the sender confirming
that the fax number to be used is in fact the correct one for
the other physician's office, and placing the fax machine in a
secure location to prevent unauthorized access to the information.
See 45 C.F.R. § 164.530(c):
Standard: safeguards. A covered entity must have
in place appropriate administrative, technical, and physical
safeguards to protect the privacy of protected health information.
Implementation specification: safeguards. A covered
entity must reasonably safeguard protected health information
from any intentional or unintentional use or disclosure that
is in violation of the standards, implementation specifications
or other requirements of this subpart.
Fax Servers:
The very purpose of a fax server -- to manage the receipt and
delivery of faxes - is ironic on a computer network that is far
better suited to document exchange than are telephone lines and
reams of paper. In a sense, fax servers are a bridge between the
old way of doing business and the new. But, as long as documents
continue to stampede across this bridge, the fax server market
continues to breathe life vigorously. Read
more.
From HIPAAdvisor No. 17: Q & A with Steve Fox, Esq.
QUESTION: Can you offer guidance about sending and receiving
faxes that contain individually identifiable patient information?
Are fax transmissions covered under HIPAA’s privacy standards
or do the security standards govern these transactions?
ANSWER: The proposed security standards and the privacy
standards both set forth requirements designed to protect the confidentiality
and privacy of certain health information. Therefore, covered entities
will be required to comply with both of these rules whenever they
send or receive fax transmissions containing individually identifiable
health information, also referred to as protected health information
("PHI").
Essentially, the privacy standards identify and define exactly
what type of information is protected and in what context such information
may be used and/or disclosed. In contrast, the proposed security
standards establish a framework for executing those disclosures
permitted under the privacy standards.
The question being asked requires an examination of the means
by which covered entities will maintain the confidentiality of PHI.
Accordingly, this discussion revolves around the proposed security
standards (the "security standards").
The security standards apply to PHI that is either electronically
maintained or transmitted. These standards require covered entities
to implement:
- administrative procedures, physical safeguards, and technical
security services to guard data integrity, confidentiality, and
availability and
- technical security mechanisms to prevent unauthorized access
to data that is transmitted over a communications network. Following
are some examples of procedures and safeguards that covered entities
may want to implement in order to protect the security of fax
transmissions:
ADMINISTRATIVE PROCEDURES
- Train staff to double check the recipient’s fax number
beforetransmittal and to confirm delivery via telephone or review
of the appropriate confirmation of fax transmittal.
- Include a pre-printed confidentiality statement on all fax
cover sheets. The statement should instruct the receiver to destroy
the faxed materials and contact the sender immediately, in the
event that the transmission reached him/her in error.
PHYSICAL SAFEGUARDS & TECHNICAL SECURITY MECHANISMS
- Place fax machines in areas that require security keys, badges,
or similar mechanisms in order to gain access.
- Periodically remind regular fax recipients to provide notification
in the event that their fax number changes.
TECHNICAL SECURITY SERVICES
- Make certain that audit controls, like fax transmittal summaries
and confirmation sheets are stored and reviewed periodically for
unauthorized access or use.
- Pre-program and test destination numbers in order to minimize
the potential for human error.
Remember, security measures cannot be implemented in a vacuum.
It order to be successful, covered entities will need to fully integrate
the security standards into their strategies for compliance with
the privacy standards.
It is also important to keep in mind that although the security
standards have not yet been finalized, the original HIPAA law passed
by Congress already requires covered entities to "maintain
reasonable and appropriate administrative, technical, and physical
safeguards" designed to ensure the integrity and confidentiality
of PHI, and to protect against any reasonably anticipated:
- threats to the security or integrity of PHI
- unauthorized uses or disclosures and
- ensure compliance with the law by the covered entity’s
officers and employees.
|
