Ensuring HIPAA Compliant Faxing for Healthcare Organizations

In the article to follow, we will cover the impact of HIPAA on faxing and how organizations should approach their fax communications if they wish to secure HIPAA compliance.

HIPAA Compliance and Certification

As well-known and widespread as HIPAA is, there is still no formal certification process for earning HIPAA compliance. There is no official checklist to complete and there is no such thing as a HIPAA-certified product or service.  A company can, however, contract a third-party firm to perform a HIPAA audit (to ensure compliance).

With regard to fax communications and HIPAA regulations, many fax solutions will help organizations achieve compliance. That said, there is not one magic bullet that will suddenly make every healthcare company HIPAA compliant.

HIPAA Safeguards for PHI

There are different safeguards that make up the HIPAA Security Rule, including physical safeguards, technical safeguards, and administrative safeguards. Every organization that has access to a person’s Protected Health Information (PHI) must be ready to prove that they are operating in compliance with HIPAA regulations.

HIPAA standards most relevant to fax providers seeking compliance for their products or services are:

• 45 CFR §164.308-Administrative Safeguards
• 45 CFR §164.310-Physical Safeguards
• 45 CFR §164.312-Technical Safeguards
• 45 CFR §164.316-Other Security Controls

Learn more about these standards here.

Is My Organization Covered if a Fax Provider’s Service is HIPAA Compliant?

In short, no. Your organization is not protected just because your fax provider is compliant. However, as part of their commitment to PHI safety, many fax service providers will include legal document called a Business Associate Agreement (BAA) as part of the service contract. The BAA does not imply that a service is HIPAA compliant either, but it ensures that the fax service provider accepts liability should a breach of PHI occur between their walls. This liability only comes into force during the sending, receiving, or storing of faxed documents.

What kind of situations can cause a breach of PHI?

Thousands of similar examples exist, but here are some below:

• Faxes sent and received by your organization are printed, filed in a cabinet, and then the documents later somehow stolen because the storage method did not comply with HIPAA Physical Safeguards
• A staff member forwards a fax electronically to a party who is not authorized to access the Protected Health Information within those faxed documents.
• Your company’s network is improperly secured, resulting in an unauthorized party gaining access to the network and the PHI therein.
• Inadequate security regarding controlled access to your fax product/service leads to an unauthorized user illegally procuring and distributing PHI.

Doing the Right Thing

Selecting a reputable fax service provider is a solid first step in maintaining or gaining HIPAA compliance. The fax service provider under consideration should be one that places  a very high priority on security. The provider should also have a current Business Associate Agreement (BAA) in place.

And if any doubts regarding the fax service provider’s HIPAA compliance should arise while completing your due diligence, a call, video chat or physical visit to the fax service provider’s place of business and/or data centers should be arranged.

To learn more about our security and compliance measures, read more here.

Interested in Exploring our Network Architecture?

Take an in-depth look at Concord’s Cloud Fax network architecture: Download our white paper to learn more about the network design that makes Concord fast, secure, and always online.