When Comparing Cloud Fax Providers:
Verify HIPAA Compliance
Compliance is a legal condition established by regulatory standards that have been set for whatever information an organization stores, shares, links to, or compiles. For anyone in the healthcare industry, compliance with the Health Insurance Portability and Accountability Act (HIPAA) applies to any organization handling protected health information (PHI) and is a mandatory vendor requirement for anyone looking to move to a cloud fax service. HIPAA compliance is the focus of this sixth installment of our blog post series about assessing a new cloud fax provider.
To help you gather the right questions to ask other internal stakeholders for your fax solution purchasing process, we’ve put together a checklist of considerations to help you begin scoping your project. Download the checklist below.
Sharing Some HIPAA Compliance Risk by Using Cloud Fax
If your organization is still dependent on fax machines, servers, or other fax appliances, you are assuming all the inherent compliance risk related to faxing. However, moving to an electronic fax provider allows you to transfer some of that risk to your vendor. Very few internet fax service providers fail to include HIPAA compliance as a key feature. Proving it is another matter—especially on an official level. There has only been a formal HIPAA compliance audit program since 2016, when the Office for Civil Rights (OCR) launched the Phase 2 HIPAA Audit Program. Only a few electronic fax providers have participated in this optional audit process.
Seven Steps for Verifying HIPAA Compliance in Cloud Fax Vendors
To ensure a prospective internet fax vendor is truly HIPAA compliant, follow these guidelines:
1. Assess the entire scope of HIPAA Compliance.
Fax transmission and receipt requires at least three organizations—providers for fax service, data center, and telecom. Under HIPAA, all must comply with requirements. If any provider link is not compliant, everyone is at risk.
2. Get more granular than just ‘HIPAA Compliant’.
All service providers should be assessed in terms of how they satisfy each applicable regulation. These are:
- 45 CFR §164.308 – Administrative Safeguards
- 45 CFR §164.310 – Physical Safeguards
- 45 CFR §164.312 – Technical Safeguards
- 45 CFR §164.316 – Other Security Controls
3. Look for situations where compliance could be a risk.
Internet fax vendors can mislead potential customers with their statements about HIPAA compliance. You should not assume that a secondary data center is HIPAA compliant in the same way as your primary. Likewise, a backup data center that provides service during a failover may not be compliant. Avoid potential risks by insisting on specific service requirements and avoid generalization. Every component of your electronic fax service, even just for emergency usage, has to be compliant.
4. Check for any non-compliance issues in prospective vendor histories.
Require detailed information from any potential provider under consideration about breaches, audits, and any related compliance issues.
6. Require a prospective vendor to sign a Business Associate Agreement (BAA).
While many vendors will readily agree to this provision, do your due diligence to ensure they meet the required security measures.
7. Make sure you are compliant in your own fax-involved processes.
Remember that the PHI involved in a fax is still governed by HIPAA even when not being transmitted. Protect it at every stage in the process, from sending to printing and shredding, and keep it private and secure at all times.
When assessing a new electronic fax provider, you need to be comfortable on every level that maintaining HIPAA compliance receives top priority. For any vendor, this should involve such provisions as third-party HIPAA compliance assessments, explicit compliance policies and procedures, employee HIPAA training, regular risk assessments, and disclosure reporting policies. Every healthcare organization makes a serious commitment to patient privacy and protecting PHI. You need to know your internet fax vendor makes the same vow.
Start asking the right questions about your organization’s fax uses and needs, so you can find the right solution for the entire organization.