HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAAdvisor Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

HIPAAdvisor: Q & A with Steve Fox, Esq.

Just the Fax Facts

QUESTION: Can you offer guidance about sending and receiving faxes that contain individually identifiable patient information? Are fax transmissions covered under HIPAA’s privacy standards or do the security standards govern these transactions?

ANSWER: The proposed security standards and the privacy standards both set forth requirements designed to protect the confidentiality and privacy of certain health information. Therefore, covered entities will be required to comply with both of these rules whenever they send or receive fax transmissions containing individually identifiable
health information, also referred to as protected health information ("PHI").

Essentially, the privacy standards identify and define exactly what type of information is protected and in what context such information may be used and/or disclosed. In contrast, the proposed security standards establish a framework for executing those disclosures permitted under the privacy standards.

The question being asked requires an examination of the means by which covered entities will maintain the confidentiality of PHI. Accordingly, this discussion revolves around the proposed security standards (the "security standards").

The security standards apply to PHI that is either electronically maintained or transmitted. These standards require covered entities to implement:

  1. administrative procedures, physical safeguards, and technical security services to guard data integrity, confidentiality, and availability and

  2. technical security mechanisms to prevent unauthorized access to data that is transmitted over a communications network. Following are some examples of procedures and safeguards that covered entities may want to implement in order to protect the security of fax transmissions:

ADMINISTRATIVE PROCEDURES

  • Train staff to double check the recipient’s fax number beforetransmittal and to confirm delivery via telephone or review of the appropriate confirmation of fax transmittal.

  • Include a pre-printed confidentiality statement on all fax cover sheets. The statement should instruct the receiver to destroy the faxed materials and contact the sender immediately, in the event that the transmission reached him/her in error.

PHYSICAL SAFEGUARDS & TECHNICAL SECURITY MECHANISMS

  • Place fax machines in areas that require security keys, badges, or similar mechanisms in order to gain access.

  • Periodically remind regular fax recipients to provide notification in the event that their fax number changes.

TECHNICAL SECURITY SERVICES

  • Make certain that audit controls, like fax transmittal summaries and confirmation sheets are stored and reviewed periodically for unauthorized access or use.

  • Pre-program and test destination numbers in order to minimize the potential for human error.

Remember, security measures cannot be implemented in a vacuum. It order to be successful, covered entities will need to fully integrate the security standards into their strategies for compliance with the privacy standards.

It is also important to keep in mind that although the security standards have not yet been finalized, the original HIPAA law passed by Congress already requires covered entities to "maintain reasonable and appropriate administrative, technical, and physical safeguards" designed to ensure the integrity and confidentiality of PHI, and to
protect against any reasonably anticipated:

  1. threats to the security or integrity of PHI

  2. unauthorized uses or disclosures and

  3. ensure compliance with the law by the covered entity’s officers and employees.

Read past HIPAA Legal Q/A articles.

Steve Fox, Esq., is a partner in the Washington, D.C. office of Pepper Hamilton LLP. Pepper Hamilton LLP is a multi-practice law firm with more than 400 lawyers in ten offices. A specialist in healthcare, Steve is a frequent writer and speaker on healthcare information management and technology issues. www.pepperlaw.com/

This article was co-authored by Rachel H. Wilson, Esq., an associate at Pepper Hamilton.

Disclaimer: Steve's responses offer information that is general in nature and should not be relied upon as legal advice. Only your attorney is qualified to evaluate your specific situation and provide you with customized advice.

Have a question you'd like Steve to discuss in HIPAAlert? Send it to and he'll be glad to consider using it in a future column, with or without attribution.