If you work in healthcare, or if you do business with healthcare providers on a regular basis, then you are familiar with HIPAA. Most associate HIPAA as the federal law that protects private patient information. However, the law covers considerably more than that, – but HIPAA’s so-called Privacy Rule receives the most focus.
If you are classified as a “covered entity” under HIPAA regulations, it’s important that you understand exactly what needs to be protected, how to protect it, and what the violations are for non-compliance. Every year, the federal government’s Health & Human Services Office for Civil Rights imposes penalties on healthcare providers and other covered entities resulting from their failure to protect patient information.
It’s common practice in the healthcare field to send and receive faxes containing patients’ protected health information (PHI). While interoperability of electronic health records (EHRs) is in the works, we’re simply not there yet. Fax serves as one of the most secure and reliable means of communicating PHI with other healthcare providers, insurers, and healthcare exchanges.
Nevertheless, it is important to follow some best practices whenever you are sending or receiving PHI via fax. Here is a list of five key practices that will help you and your organization remain fully compliant with the HIPAA Privacy Rule.
#1: Faxes should not sit out in a public location.
If you intend to use a physical fax machine that prints out a paper document, then it’s best to get a dedicated line for any faxes containing PHI. The machine to which incoming faxes are sent should be in a location where access is limited, and employees must be trained to understand the implications of allowing authorized access to that area.
Outgoing faxes, likewise, should be sent from machine located in a secure, access-controlled room. Alternatively, an authorized person sending faxes can remain at the machine until each transmission is complete, so that the outgoing document is never left unattended.
Faxes should not be left on desk counters where patients can see them from the sign-in desk or in a location where the general public can view them.
#2. Use a HIPAA Compliant Cover Page
Whenever you send a fax containing protected information, use an appropriate cover page containing an appropriate HIPAA disclaimer. This protects your organization in the event that the fax is inadvertently made available to an unauthorized party or faxes to a wrong number. While you can’t necessarily control what happens after your recipient receives a fax, the cover page can protect you from liability. A good HIPAA-compliant cloud fax provider will make adding a cover page a standard part of their workflow for outgoing faxes.
#3. Maintain a Audit Trail
A good audit trail provides a clear, well-documented record of exactly what information was sent and received, when, and by whom. With a good HIPAA-compliant cloud fax service, you should have access to a complete record of your incoming and outgoing fax history. Should you face a HIPAA Audit, whether internal or due to a violation, you will need to provide those records to the auditors.
#4. Proper handling of HIPAA Materials and local devices
Most of the high-profile breaches of the HIPAA happened because PHI was saved to a local hard drive or mobile device, where a user failed to apply appropriate precautions by deleting it. If devices are subsequently stolen, lost, or disposed of without taking appropriate measures to destroy the data they contain; PHI could be inadvertently exposed, resulting in fines and penalties. Some of the largest fines were due to PHI being saved to a local MFP device.
If you are upgrading your MFP devices please ensure that your MFP company wipes the devices they are upgrading. Don’t risk massive bankruptcy-inducing fines because a vendor forgets to wipe a device. Your local security officer should have responsibility over these processes.
In Summary: Secure your PHI. Keep it in a secure location, physically and digitally. HIPAA violations are rarely due to hackers, ransomware and or disgruntled employees. It’s usually caused by an oversight or forgetting to remove materials from devices that being recycled or sold.