If your organization needs to transmit electronic protected health information (ePHI) by fax on a regular basis, you need to make sure those transmissions are completely secure and fully protected at all times. This is not only a matter of protecting patient privacy and your business’s reputation — it’s also the law.
Complying with the hundreds of pages of dense legal language in the Health Insurance Portability and
Accountability Act (HIPAA) can be difficult for even the most experienced IT teams. When it comes to your faxing processes, determining whether you meet all of HIPAA’s guidelines and requirements can be overwhelming. Consequently, when considering the outsourcing of your organization’s fax infrastructure to a hosted cloud fax service — you should ask at least these four key questions of any potential solution:
The following are excerpts from the HIPAA Security Rule, which outlines the minimum requirements any Covered Entity (CE) or Business Associate (BA) must take to ensure the confidentiality, integrity and availability of any ePHI it handles.
The law breaks these guidelines into three categories: Administrative Safeguards, Technical Safeguards and Physical Safeguards. As you read these guidelines, consider how your organization's fax processes stand up.
Note: These excerpts reflect only a small portion of the language and requirements contained in the HIPAA Security Rule. We are including them only as examples of areas within the law that will affect how your faxing processes meet (or do not meet) HIPAA standards.
Security Management Process
Implement policies and procedures to prevent, detect, contain, and correct security violations.
Risk Analysis (Required)
Risk Management (Required)
Information System Activity Review (Required)
Information Access Management
Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.
Access authorization (Addressable)
Implement policies and procedures for granting access to electronic protected health information, for example through access to a workstation, transaction, program, process, or other mechanism.
Establish (and implement as needed) policies and procedures for responding to emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
Disaster recovery plan (Required)
Establish (and implement as needed) procedures to restore any loss of data.
Emergency Mode Operation Plan (Required)
Business Associate Contracts and Other Arrangements
A covered entity, in accordance with §164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314(a) that the business associate will appropriately safeguard the information.
Written contract or other arrangement (Required). Document the satisfactory assurances required by paragraph (b)(1) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314(a).
Written contract or other arrangement (Required)
Facility Access Controls
Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
Contingency Operations (Addressable)
Facility Security Plan (Addressable)
Access Control and Validation Procedures (Addressable)
Maintenance Records (Addressable)
Device and Media Controls
Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
Media Re-use (Required)
Data Backup and Storage (Addressable)
Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).
Unique User Identification (Required)
Emergency Access Procedure (Required)
Automatic Logoff (Addressable)
Encryption and Decryption (Addressable)
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
Mechanism to Authenticate Electronic Protected Health Information (Addressable)
Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
(i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
Integrity Controls (Addressable)
For true HIPAA compliant Healthcare faxing, you can trust eFax Corporate®.
With eFax Corporate deployed across your organization, your staff can securely fax by email from any Internet connected device including desktops, laptops, tablets or smartphones. Our secure fax solution transmits your ePHI and other important fax documents by email using the most advanced encryption over an IP network to your recipient's fax number.
Our secure fax service also stores your faxes digitally on our secure cloud using sophisticated 256-bit AES encryption and advanced security measures at our telco-grade colocations. Outsourcing your fax process to us lets your team eliminate the fax machines, fax servers and other fax infrastructure that can leave your organization vulnerable to non-compliance with HIPAA. Learn more on sending HIPAA Faxes Today!
eFax Corporate Delivers
Access Control: Requires covered entities to “Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4) [Information Access Management].”
The eFax Corporate cloud fax solution includes unique user identification, administrator privileges to grant and remove access, next generation (256-bit AES) encryption and other protocols to limit access to your organization’s authorized personnel only. Inbound documents may be sent to only the intended recipient’s email, limiting exposure and disclosure risks associated with faxing to a physical fax machine.
Transmission Security: The Transmission Security Standard, 45 CFR 164.312(e)(1) requires that a covered entity “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”
eFax Corporate implements the highly secure Transport Security Layer (TLS) protocol approved and recommended by the National Institute for Standards and Technology (NIST) for document transmissions to ensure that your ePHI (and other business faxes) are never vulnerable at any point in transmission.
Data Encryption: Where implementation is a reasonable and appropriate safeguard for the covered entity, the covered entity must: “Implement a mechanism to encrypt and decrypt electronic protected health information.” 45 CFR § 164.312(a)(2)(iv).
eFax Corporate® keeps your faxes encrypted at all times — both in transit and at rest. Storage of documents uses the NIST-recommended AES 256-bit encryption and robust in-transit TLS encryption. All data is secured and stored at our geographically redundant, Tier III and Tier IV colocations, which themselves are protected by multiple security layers 24/7/365.
Audit Control: “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” 45 CFR § 164.312(b).
eFax Corporate® employs multiple levels of audit control — from secure and automatic archiving of all faxes sent or received through eFax Corporate® for the life of your organization’s account, to transmission tracking with unique patient identifiers.