If your organization is coming from the healthcare industry or medical background, there’s a high chance you are still sending faxes daily — which means you must have reasonable safeguards in place to ensure they are HIPAA compliant.
Your organization must ensure that all Protected Health Information (PHI) being sent and received is safe according to the Health Insurance Portability and Accountability Act (HIPAA) from 1996. This act safeguards medical records and patient data and provides a framework on when PHI can be shared and with whom.
What is a HIPAA Violation?
HIPAA states that only the minimum necessary information must be disclosed in a fax, so disclosing too much is a violation. Some other things that constitute a violation are:
- Disclosing PHI without permission
- Accessing PHI without authorization
- Failure to dispose of PHI when it’s not needed anymore
- Failure to manage risk and conduct a risk assessment
- Not having safeguards in place to ensure PHI is safe
- Not monitoring access to PHI
- Not giving patients copies of their PHI when they request it
- Not having access controls
- Not having a HIPAA complaint agreement with vendors before sharing PHI
- Delaying a notification to patients in case of a breach
- Ignoring the 60-day timeframe from breach discovery to issue a notification
- Mishandling and missending HIPAA
- Not documenting compliance efforts
With such a variety of violations that can occur, how does a healthcare facility keep track of whether a breach has happened? The most common way HIPAA compliance violations are uncovered is through internal audits, but healthcare professionals who have violated HIPAA regulations will often self-report to minimize the impact of the violation. Some organizations may also have a compliance team that consistently checks for potential violations.
What Happens if You Breach HIPAA Compliance?
Financial penalties for HIPAA compliance violations are high, and it doesn’t matter if the violation was intentional or not.
Fines can reach $25,000 per violation category, per the calendar year when issued by state attorneys. But, the Office of Civil Rights (OCR) can issue higher fines, going up to $1.5 million per violation category for each year of violation. There have already been instances of multi-million-dollar fines.
HIPAA Violation Tiers
Not all HIPAA violations hold the same weight when it comes to consequences. There is a structure that’s used to define the height and severity of penalty:
- Tier 1 Violation – With a minimum fine of $100 to $50,000 per violation, this tier is reserved for instances when an organization was unaware of a violation that could not have been avoided, but it has taken steps to abide by HIPAA rules.
- Tier 2 Violation – With a minimum fine of $1,000 to $50,000 per violation, tier 2 is reserved for instances when an organization should have been aware of the violation, but it could not be avoided even with precautions.
- Tier 3 Violation – This tier is for instances where there was “willful neglect” but there was also an attempt to correct the violation, with the fine spanning between $10,000 to $50,000 per violation.
- Tier 4 Violation – This tier is for instances of “willful neglect” without any attempts to correct the violation, with a fine starting at $50,000 per violation.
Health and medical organizations are all required to take extra security measures to ensure they are HIPAA compliant. Unfortunately, old faxing machines can easily compromise information. These machines are a far cry from being considered secure enough for PHI, even when they are used as fully standalone systems not connected to the rest of the network. That’s why it’s vital that healthcare companies switch to a HIPAA-compliant faxing system.
Switching from Traditional Fax Machines
There are major obstacles to overcome for fax machines to be deemed secure enough for sensitive patient information. Organizations shouldn’t depend on unreliable fax machines only because of the current interoperability issues of eHealth systems.
Since switching to newer solutions takes time, it’s important to ensure that PHI remains safe while fax machines are still in use. All employees should be well aware of the HIPAA faxing rules and practices that come with using traditional fax servers.
Tips for Remaining HIPAA Compliant
Handling PHI can be tricky, but luckily there are a few helpful methods and tips to securely send patient information.
1. Never Leave Faxes Unattended on a Fax Machine
Whenever you need to send a fax that contains PHI or other personal information, it is a golden HIPAA fax rule that you stay beside the machine until you are finished faxing. Even if you have other quick tasks you’d like to take care of while sending a fax, leaving the documents unattended can lead to a major violation. Stay near the fax machine until the fax is complete.
Tip: Take precautions before sending the fax through and ensure that the recipient has their fax machine in a secure location where the documents won’t be accessible to unauthorized personnel. Include an additional fax cover sheet to ensure that the document remains secure.
2. Switch to a HIPAA Compliant Cloud Fax Service
Cloud-based or online faxing services like iFax don’t only transfer your faxing to the cloud — they bring you new features and capabilities that a regular fax machine or three-in-one machine just can’t offer.
Additionally, it’s a cost-efficient option as you won’t be needing a fax machine anymore. Paper, ink, and toner are purchases of the past and you can save money on incurring costs of electricity. With a cloud fax service, you can even save on the fixed phone line each month and won’t necessarily need one to send and receive faxes online. With a cloud fax service, you have the ability to simply send an email to fax over confidential information right from your phone or computer.
Cloud faxing service providers use military-grade encryption technology to add an additional layer of security to all the data you send via online fax.
While there are plenty of online fax service providers to choose from, always select one that is compliant with all the regulations you have to follow. A top-tier secure fax service will be HIPAA compliant from the start.
Tip: Your online fax service provider is required by law to sign a business associate’s agreement (BAA) with you so that both sides know the HIPAA fax regulations and responsibilities of keeping PHI safe. If a provider refuses to do so, we recommend finding a different service.
3. Use HIPAA Fax Disclaimer
Every time you send a fax document containing PHI, you are required by HIPAA to use a fax disclaimer with the approved statement warning against unauthorized access. This document basically serves as a fax cover sheet to inform the receipt that incoming faxes contain personal health information that is not to be distributed.
While there is no official checklist on what information should be included in the disclaimer, the following information will convey the HIPAA fax regulations needed to stay compliant:
- Date and time of fax transmission
- Receiver fax name and number
- Sender fax number, name, and organization
- Name of the patient whose information is being sent
- HIPAA disclaimer prohibiting the distribution of the received information
Tip: If you are switching to an online fax app, double-check whether you are able to attach a fax disclaimer as part of your protocol when sending faxes.
4. Keep an Audit Trail
You must keep a track of all activity on your systems and network with audit logs. Audit controls are a requirement for all Covered Entities and Business Associates, meaning that healthcare providers, medical organizations, and all their vendors must keep them.
Cloud fax service providers must, therefore, offer a way to keep track of all the faxing activity to ensure compliance when sending patient health information. While most cloud faxing platforms perform this automatically, the best ones will have an online fax storage system that lets access all document versions to track changes and activity.
Tip: You must keep the logs for at least six years according to the HIPAA fax regulations. The logs must be stored in raw format for 6-12 months before you are free to compress them.
5. Migrate to the Cloud
Most healthcare data breaches happen because PHI was stolen from portable storage devices such as removable drives, laptops, or tablets. While other regulations typically handle such data breaches, stolen PHI creates a violation and an organization becomes susceptible to fines.
Tip: To avoid data theft from portable devices, ensure that all PHI is heavily encrypted at all times and safely stored in the organization’s cloud server.
Stay HIPAA Compliant with Online Faxing
Since fax machines can’t keep up with the regulatory framework, HIPAA is just one of the many regulations that are slowly pushing them out of offices. Regular risk assessment and staff training can reduce instances of violations, but implementing new technological software is the best solution for healthcare providers.
The iFax app moves your organization away from the traditional fax machines and into the modern era of HIPAA-compliant fax services that connect to the rest of your network. With availability spanning across all major platforms (Windows, macOS, Android, and iOS), iFax comes with more features than a fax machine ever could. With an integrated document scanner, fax image editing capability, and automated fax image optimization, it’s the go-to solution for health and medical organizations.
Fill out forms, annotate PDF files, and use digital signatures to rest easy knowing that your faxes will be encrypted from start to finish. Try the iFax app today to send free online faxes from any device you need to, even if you’re on the go.