HIPAA Faxing from eFax Corporate®
Secure and encrypted HIPAA compliant faxing. BAA available.
Speak with a representative now: (844) 344-7099
What is a HIPAA Compliant Fax Solution?
If your organization needs to transmit electronic protected health information (ePHI) by fax on a regular basis, you need to make sure those transmissions are completely secure and fully protected at all times. This is not only a matter of protecting patient privacy and your business’s reputation — it’s also the law.
Complying with the hundreds of pages of dense legal language in the Health Insurance Portability and Accountability Act (HIPAA) can be difficult for even the most experienced IT teams. When it comes to your faxing processes, determining whether you meet all of HIPAA’s guidelines and requirements can be overwhelming. Consequently, when considering the outsourcing of your organization’s fax infrastructure to a hosted cloud fax service — you should ask at least these four key questions of any potential solution:
Do You Have a Secure Fax Solution? Does it Meet HIPAA Fax Standards?
4 Questions to Ask Any Vendor:
- Is the fax solution you offer specifically designed to be a HIPAA compliant?
- Do you have an on-staff Compliance Team certified as HIPAA faxing experts?
- What major healthcare organizations are using your HIPAA fax solution today? For how long?
- Will you sign a Business Associate Agreement (BAA) as our HIPAA fax provider?
6 Tips
to prevent cyber attacks against
your healthcare organization
HIPAA Faxing — What the Law Actually Says
The following are excerpts from the HIPAA Security Rule, which outlines the minimum requirements any Covered Entity (CE) or Business Associate (BA) must take to ensure the confidentiality, integrity and availability of any ePHI it handles.
The law breaks these guidelines into three categories: Administrative Safeguards, Technical Safeguards and Physical Safeguards. As you read these guidelines, consider how your organization’s fax processes stand up.
Note: These excerpts reflect only a small portion of the language and requirements contained in the HIPAA Security Rule. We are including them only as examples of areas within the law that will affect how your faxing processes meet (or do not meet) HIPAA standards.
Administrative Safeguards
Physical Safeguards
Technical Safeguards
Administrative Safeguards
Security Management Process
164.308(a)(1)
Implement policies and procedures to prevent, detect, contain, and correct security violations.
164.308(a)(1)
Implement policies and procedures to prevent, detect, contain, and correct security violations.
Information Access Management
164.308(a)(4)
Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.
164.308(a)(4)
Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.
Contingency Plan
164.308(a)(7)
Establish (and implement as needed) policies and procedures for responding to emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
164.308(a)(7)
Establish (and implement as needed) policies and procedures for responding to emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
Business Associate Contracts and Other Arrangements
164.308(b)(1)
A covered entity, in accordance with §164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314(a) that the business associate will appropriately safeguard the information.
Written contract or other arrangement (Required). Document the satisfactory assurances required by paragraph (b)(1) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314(a).
164.308(b)(1)
A covered entity, in accordance with §164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314(a) that the business associate will appropriately safeguard the information.
Written contract or other arrangement (Required). Document the satisfactory assurances required by paragraph (b)(1) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314(a).
REQUIRED OR ADDRESSABLE
Risk Analysis (Required)
Risk Management (Required)
Information System Activity Review (Required)
Risk Management (Required)
Information System Activity Review (Required)
Access authorization (Addressable)
Implement policies and procedures for granting access to electronic protected health information, for example through access to a workstation, transaction, program, process, or other mechanism.
Implement policies and procedures for granting access to electronic protected health information, for example through access to a workstation, transaction, program, process, or other mechanism.
Disaster recovery plan (Required)
Establish (and implement as needed) procedures to restore any loss of data. Emergency Mode Operation Plan (Required)
Establish (and implement as needed) procedures to restore any loss of data. Emergency Mode Operation Plan (Required)
Written contract or other arrangement (Required)
Physical Safeguards
Facility Access Controls
164.310(a)(1)
Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
164.310(a)(1)
Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
Device and Media Controls
164.310(d)
Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
164.310(d)
Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
REQUIRED OR ADDRESSABLE
Contingency Operations (Addressable)
Facility Security Plan (Addressable)
Access Control and Validation Procedures (Addressable)
Maintenance Records (Addressable)
Facility Security Plan (Addressable)
Access Control and Validation Procedures (Addressable)
Maintenance Records (Addressable)
Disposal (Required)
Media Re-use (Required)
Accountability (Required)
Data Backup and Storage (Addressable)
Media Re-use (Required)
Accountability (Required)
Data Backup and Storage (Addressable)
Technical Safeguards
Access Control
164.312(a)(1)
Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).
164.312(a)(1)
Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).
Audit Controls
164.312(b)
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
164.312(b)
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
Transmission Security
164.312(e)(1)
Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
(i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
164.312(e)(1)
Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
(i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
REQUIRED OR ADDRESSABLE
Unique User Identification (Required)
Emergency Access Procedure (Required)
Automatic Logoff (Addressable)
Encryption and Decryption (Addressable)
Emergency Access Procedure (Required)
Automatic Logoff (Addressable)
Encryption and Decryption (Addressable)
Mechanism to Authenticate Electronic Protected Health Information (Addressable)
Integrity Controls (Addressable)
Encryption (Addressable)
Encryption (Addressable)
HIPAA Compliant Cloud Faxing
Our Secure Fax Solution Helps
You Meet HIPAA Standards
For true HIPAA compliant Healthcare faxing, you can trust eFax Corporate®.
With eFax Corporate deployed across your organization, your staff can securely fax by email from any Internet connected device including desktops, laptops, tablets or smartphones. Our secure fax solution transmits your ePHI and other important fax documents by email using the most advanced encryption over an IP network to your recipient’s fax number.
Our secure fax service also stores your faxes digitally on our secure cloud using sophisticated 256-bit AES encryption and advanced security measures at our telco-grade colocations. Outsourcing your fax process to us lets your team eliminate the fax machines, fax servers and other fax infrastructure that can leave your organization vulnerable to non-compliance with HIPAA. Learn more on sending HIPAA Faxes Today!
- HIPAA Compliant fax solution
- We will sign a BAA as your HIPAA fax partner
- Strongest encryption available for your faxes in transit
- Strongest encryption available for your faxes at rest (256-bit)
- Eliminate your in-house fax hardware — and outsource to a proven HIPAA fax partner
HIPAA Requires |
eFax Corporate Delivers |
---|---|
Access Control: Requires covered entities to “Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4) [Information Access Management].” | The eFax Corporate cloud fax solution includes unique user identification, administrator privileges to grant and remove access, next generation (256-bit AES) encryption and other protocols to limit access to your organization’s authorized personnel only. Inbound documents may be sent to only the intended recipient’s email, limiting exposure and disclosure risks associated with faxing to a physical fax machine. |
Transmission Security: The Transmission Security Standard, 45 CFR 164.312(e)(1) requires that a covered entity “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.” | eFax Corporate implements the highly secure Transport Security Layer (TLS) protocol approved and recommended by the National Institute for Standards and Technology (NIST) for document transmissions to ensure that your ePHI (and other business faxes) are never vulnerable at any point in transmission. |
Data Encryption: Where implementation is a reasonable and appropriate safeguard for the covered entity, the covered entity must: “Implement a mechanism to encrypt and decrypt electronic protected health information.” 45 CFR § 164.312(a)(2)(iv). | eFax Corporate® keeps your faxes encrypted at all times — both in transit and at rest. Storage of documents uses the NIST-recommended AES 256-bit encryption and robust in-transit TLS encryption. All data is secured and stored at our geographically redundant, Tier III and Tier IV colocations, which themselves are protected by multiple security layers 24/7/365. |
Audit Control: “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” 45 CFR § 164.312(b). | eFax Corporate® employs multiple levels of audit control — from secure and automatic archiving of all faxes sent or received through eFax Corporate® for the life of your organization’s account, to transmission tracking with unique patient identifiers. |
"Phase 2" HIPAA Audits
Are your fax processes in full compliance with HIPAA’s strict guidelines? Do they create unnecessary risks for disclosure of Protected Health Information (PHI) to unauthorized recipients or employees?
Read our new whitepaper that address the 5 assumptions that covered entities make about their regulatory compliance — which are often incorrect — and find out how to correct them.
Speak with a representative now: (844) 344-7099