If your organisation is coming from healthcare or medical background, there’s a high chance you are still sending faxes on a daily basis – which means you must ensure they are HIPAA compliant.
Your organisation must ensure that all Protected Health Information (PHI) being sent and received is safe according to the Health Insurance Portability and Accountability Act (HIPAA) from 1996 that safeguards patient data and provides a framework on when it can be shared, and who it can be shared with.
HIPAA states that only the minimum necessary information must be disclosed, so disclosing too much is a violation too. Some things that constitute a violation are:
- Disclosing PHI without permission
- Access to PHI without authorization
- Failure to dispose of PHI when it’s not needed anymore
- Failure to manage risks and conduct a risk assessment
- Not having safeguards in place to ensure PHI is safe
- No monitoring of access to PHI
- Not giving patients copies of their PHI when they request it
- No access controls
- Not having a HIPAA complaint agreement with vendors before sharing PHI
- Delaying a notification to patients in case of a breach
- Ignoring the 60-day timeframe from breach discovery to issue a notification
- Mishandling and missending HIPAA
- Not documenting compliance efforts
The most common way HIPAA compliance violations are uncovered is through internal audits, but employees who have violated HIPAA regulations will often self-report to minimise the impact of the violation.
What happens if you breach HIPAA compliance?
Financial penalties for HIPAA compliance violations are high, and it doesn’t matter if the violation was unintentional or intentional.
Fines can go up to $25,000 per violation category, per the calendar year when issued by state attorneys, but the office of civil rights (OCR) can issue higher fines, going up to $1.5 million per violation category for each year of violation. There have already been instances of multi-million-dollar fines.
There is a structure that’s used to define the height and severity of penalty:
- Tier 1 Violation – With a minimum fine of $100 to $50,000 per violation, this tier is reserved for instances when an organisation was unaware of a violation and it could have not really been avoided, but has taken steps to abide by HIPAA rules.
- Tier 2 Violation – With a minimum fine of $1,000 to $50,0000 per violation, tier 2 is reserved for instances when an organisation should have been aware of the violation, but could not be avoided even with precautions.
- Tier 3 Violation – This tier is for instances where there was “willful neglect” but there was also an attempt to correct the violation, with the fine spanning between $10,000 and $50,000 per violation.
- Tier 4 Violation – For instances of “willful neglect” without any attempts to correct the violation, with a fine starting at $50,000 per violation.
Health and medical organisations are all required to be HIPAA compliant, and faxing machines can easily compromise them. Old faxing machines are a far cry from being considered safe enough for PHI, even when they are used as fully standalone systems that are not connected to the rest of the network.
Switching away from fax machines
There are major obstacles to overcome for fax machines to be deemed secure enough for sensitive patient information, and organisations shouldn’t rely on fax machines only because of the current interoperability issues of eHealth systems.
Because switching to newer solutions takes time, it’s important to ensure PHI remains safe while fax machines are still in use and that all employees are aware of those practices.
Here are a few tips on ensuring your faxing practices are HIPAA compliant.
1) Never leave faxes unattended on fax machines
Whenever you need to send a fax that contains PHI or other personal and private information, you must stay right there until you are finished faxing. Even if you have other quick tasks you can take care of while sending a fax, fax documents or fax machines should never be unattended.
Stay near the fax machine until the fax goes through.
TIP: Take precautions before sending the fax through and ensure that the recipient has their fax machine in a secure location where the documents you are sending won’t be accessible to those who are not authorized to access them.
2) Switch to a HIPAA compliant cloud fax service
Cloud or online faxing services don’t just transfer your faxing to the cloud – they also bring you new features and capabilities that a regular fax machine or three-in-one machines just can’t offer.
Besides, it’s a cost-efficient option as you won’t be needing a fax machine anymore, and with it, you won’t need paper, ink or toner either, not to mention incurring costs of electricity and space.
With a cloud fax service, you can even save on the fixed phone line each month as you don’t necessarily need to have one to send and receive faxes online.
Cloud faxing service providers use technology that supports encryption, as opposed to fax machines that can’t be encrypted at all. This adds an additional layer of security to all the data you send via online fax.
And while there are plenty of online fax service providers to choose from, always make sure to choose those that are compliant with all the regulations you have to be. The top online fax app will be HIPAA compliant.
TIP: Your online fax service provider is required by law to sign a business associate’s agreement (BAA) with you so that both sides know their responsibilities in keeping PHI safe.
3) Use cover pages
Every time you send a fax document containing PHI, you are required by HIPAA to use a cover sheet with the HIPAA approved statement when transmitting PHI.
While there is no official checklist on what information should be included on the cover sheet, the following info will help you stay HIPAA compliant:
- Date and Time when the fax was sent
- Receiver fax number and name
- Sender fax number, name and organisation
- Name of patient
- HIPAA Disclaimer
TIP: If you are switching to an online fax app, double-check whether you are able to attack cover pages as part of your protocol when sending faxes.
4) Keep an audit trail
You must keep track of all the activity on your systems and network with audit logs. Audit controls are a requirement for all Covered Entities and Business associates, meaning that health and medicine organisation, as well as all their vendors must keep them.
Cloud fax service providers must, therefore, offer a way to keep track of all the faxing activity to ensure compliance. While every cloud faxing platform performs this automatically, the best ones will let you access all document versions to keep track of all changes and activity.
TIP: You must keep the logs for at least six years according to HIPAA. Make sure the logs are stored in raw format for 6-12 months, and after that, you are free to compress them.
5) Migrate to the cloud
Most healthcare data breaches happen because PHI was stolen from portable storage devices such as removable drives, or portable devices such as laptops or tablets.
While other regulations typically handle such data breaches, when PHI is stolen this way, HIPAA will also be breaches and an organisation susceptible to fines.
TIP: To avoid data theft from portable devices, ensure that all PHI is encrypted at all times and safely stored in the organisation’s cloud server.
Stay HIPAA compliant with online faxing
Fax machines can’t keep up with the regulatory framework, with HIPAA being just one regulation that is slowly pushing them out of organisational offices.
Regular risk assessment and staff training can reduce instances of compliance breaches, but accepting new technological solutions is an important step too.
The iFax app moves your organisation away from physical fax machines and into to modern solution that lets you keep faxing while ensuring you are HIPAA compliant and connected to the rest of your network.
With availability spanning across all major platforms: Windows, macOS, Android and iOS, as well as a web app, iFax comes with more features than a fax machine could ever have. With an integrated document scanner, fax image editing capabilities and automated fax image optimization, it’s the go-to solution for health hand medical organisations.
You can fill forms, annotate PDF files and use digital signatures and rest easy knowing your faxes will be encrypted end-to-end.
Try iFax app today to send free online faxes from any device you need to, even when you’re on the go.