What to ask a prospective fax provider about HIPAA compliance

Searching for a HIPAA compliant fax provider: Three questions to ask

Selecting an online fax provider looks different for every organization depending on its business requirements for a cloud fax service. For example, a small business with few security concerns will have different requirements from an organization that faxes high volumes of sensitive information. And for enterprise level organizations that operate in highly-regulated industries, finding a secure online fax provider becomes even more challenging when questions of compliance arise.

If your organization is subject to HIPAA, you already know how vital it is for your business partners and third party service providers to operate in line with the regulations. As you work to find the right fax solution for your organization, start by assessing the ways in which any prospective providers address the topic of HIPAA compliance. You may find that some cloud fax service providers’ HIPAA claims don’t hold up under scrutiny.

To help you find a fax service that is 100% HIPAA compliant, Concord Technologies has come up with three simple questions that will quickly weed out potentially risky providers. For a more detailed guide to the cloud fax buying process, you can download a free copy of our Concord Cloud Fax Reference Guide.

HIPAA Professional doctor use computer and medical equipment all around desktop top view
HIPAA Professional doctor use computer and medical equipment all around desktop top view

What should you be asking your fax provider about their HIPAA compliance?

What happens in the event that the fax service suffers and outage?

It may not be immediately obvious how a service outage impacts HIPAA compliance so here’s a quick explanation:

Many fax service providers have the concept of “primary” and “backup” servers or data centers. Often, it is only the primary components which are HIPAA compliant. Should an outage occur, your PHI could suddenly find itself being routed through servers and/or data centers which are not HIPAA compliant. Making matters worse, that lack of HIPAA compliance may well be a product of less -than-adequate security meaning your data could be at risk. A HIPAA compliant fax provider will have clear, detailed documentation on the policies and procedures in place to handle any such service outage. This documentation should include information on the provider’s network failover protocol.  In short, if you cannot be sure exactly how your faxes are going to be transported in the event of an outage, keep looking…

Is the fax service exempt from HIPAA through the conduit exception?

While this may not be a question to ask a vendor directly, If you come across a cloud fax provider that claims exemption from HIPAA because of the conduit exception, they’re wasting your time. The reality is, no fax service provider can qualify as a conduit exception, which is defined by the Department of Health and Human Services (DDHS) as,

“…A PERSON OR ORGANIZATION THAT ACTS MERELY AS A CONDUIT FOR PROTECTED HEALTH INFORMATION, FOR EXAMPLE, THE US POSTAL SERVICE, CERTAIN PRIVATE COURIERS, AND THEIR ELECTRONIC EQUIVALENTS.”

While some cloud fax providers may attempt to claim that they qualify as an, “electronic equivalent,” this is never the case. Online fax services do more than just transfer documents from point A to point B. Both incoming and outgoing faxes will also be stored (no matter how briefly) on the provider’s server. Because of this, a cloud fax service does not qualify as a HIPAA conduit.

Similarly, if a fax provider claims to be both HIPAA compliant and a HIPAA conduit, they’re not giving you the full story.

How does the fax service mitigate the risk that comes with signing a BAA?

First off, if a fax provider is hesitant in signing a BAA – move on as they are clearly unqualified to handle your data. Unfortunately, that still leaves many providers who are equally unqualified yet perfectly willing to sign a BAA.

Validating a provider’s ability to comply with HIPAA (rather than simply their willingness to accept part of the risk) means understanding the specific requirements HIPAA details for operational, physical, network and application-level security of target documents. For many fax service buyers, this can be a daunting task but Concord’s Cloud Fax Reference Guide contains everything you need know in order to vet potential providers.

Have questions beyond HIPAA?

Download your free Concord Cloud Fax Reference Guide.

Everything you need to effectively build a detailed set of requirements for your fax project.

Scroll to Top