HIPAA Fax Compliance Guide

Beginners HIPAA Compliance Guide

Fax and HIPAA Compliance require diligence and intelligent planning to ensure your organization’s handling of ePHI (Electronic Personal Health Information) is compliant with Federal guidelines. Being HIPAA “Compliant” is not a certificate or designation. It is a set of guidelines and practices that your organization follows to prevent the disclosure of confidential information.

  • HIPAA Fax Disclaimer.
  • Date and Time Fax sent.
  • Receiver name and fax #.
  • Sender name, organization and phone #.
  • Patient’s Name and reference # if needed.

    Below we have detailed the primary steps to take in order to ensure your fax platform handles ePHI data properly.

    Do you need a BAA?

    Any individual or entity that performs functions or activities on behalf of a covered entity that requires the business associate to access PHI is considered a business associate, according to HHS. A fax company that works with organizations that handle HIPAA protected content will offer a BAA (Usually for no additional cost). A BAA is required for HIPAA compliance. HHS has issued general guidelines for most BAAs. Some fax companies will have BAAs that have additional stipulations that may require review by your legal team.

    BAAs have become more and more complicated as liability and indemnity clauses are becoming the norm. Deals are being lost and parties are walking away from opportunities because of too much overreaching in BAA’s.

    Indemnity clauses should be moved out of BAA’s and Covered Entities (CE) should use BAAs closer to the HHS templates. Any indemnity should be moved to the Terms of Service agreements where they are more specific and addressable.

    Regardless, these agreements have become more contentious as the protection of PHI becomes more critical than ever.

    What about Security and Encryption?

    The Department of Health and Human Services has established minimum requirements for HIPAA compliant communications. Any fax vendor must have an API that supports a TLS encrypted connection. An API endpoint must support TLS 1.2 at a minimum.

    How does one determine if a fax provider has TLS 1.2 or greater? One can use the developer tools in the Chrome browser.  Open the API address in your browser right click and select inspect. Then click the “Security” tab. You’ll see the connection settings and it will tell you the TLS version supported. In this screenshot, TLS 1.2 is in being used.

    Why can’t I use Email to send Faxes?

    Sending a fax via email is convenient and easy but when it comes to HIPAA compliance it is not as simple.

    Sending ePHI using email could lead to the email, and thus the ePHI, being open to interception by hackers or captured over the open internet. Email is not inherently secure as we all know. It is secure on your desktop but once it leaves the email client it traverses various networks until it reaches the destination server. While it is transiting those networks it can be intercepted and disclosed.

    How secure is your fax provider?

    Any cloud fax provider that utilizes an email to fax service must ensure that they utilize TLS 1.2 encryption (at a minimum) and that the email is not routed over the open internet. Ask your fax provider if they offer secure fax to email and get details.