Using ‘Secure FAX’ to comply with HIPAA’s ‘SafeGuards Principle’

There are various concerns when healthcare organizations urgent need to send important and sensitive information, like protected health information (PHI) via facsimile as anyone with physical access to the phone lines and some technical expertise can eavesdrop on phone calls and FAXes and thus obtain any protected health information by fax. HIPAA deals with FAXes in the “SafeGuards Principle” which states that ‘Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.’

With email, there are many physical, technical, and administrative safeguards that are easy to apply. With FAXes, the situation is very different as

* There is no easy way to secure a FAX transmission between two parties unless they are both setup with special encrypting fax machines. Few organizations have such tools. They are expensive, and to be useful, everyone must have compatible machines.
* Everyone already uses insecure FAX machines.
* FAXes are often left on the FAX machine for some period of time after they arrive.  This makes the sensitive information available to anyone walking by the machine.
* FAX machines often save copies of received FAXes internally.  This makes it possible for anyone with access to the FAX machine to print out additional copies of the sensitive material.
* FAX machines generally print out the transmitted messages on paper.  This paper, if not destroyed, could be placed in an insecure location.

To combat this situation, you need to opt for “Secure FAX” services over internet. These services make your information secure in the following process:

* You access their web site using a secure (SSL) connection.
* You login and upload the materials to be “FAXed” (i.e. possibly after first scanning and saving it on your computer).
* You enter an email address and possibly a FAX number of the recipient.
* The pages that you are “FAXing” are encrypted and saved in a database at your FAX service provider.
* The “FAX” recipient gets an email or FAX notifying them that they have a “FAX” and that they need to go to a web site to “pick it up”.
* The recipient goes to the web site and downloads the “FAX” over a secure (SSL) web connection.

This transmission of information is secure end-to-end because:

* The transmission from the sender to the server is secured.
* The temporary storage is secured.
* The transmission from the server to the recipient is secured.
* An audit trail may be available to track the process, for improved compliance.
* Authentication of the sender and/or recipient may be present, for improved compliance.

This is obviously a more secure method of transmitting PHI than a classical FAX.