Fax vs HIPAA: Devil’s in the details

Faxes may seem safe, but is your system HIPAA-compliant?

It’s difficult to overstate the health care industry’s reliance on fax. Nearly all physician practices have an EHR system, but nearly 90 percent of health care offices still use fax to transmit about 75 percent of their documents, according to the Medical Group Management Association.

For most communication – such as sending a referral for a patient to see a specialist or a prescription form to a pharmacy – fax remains the industry favorite.

The Health Insurance Portability and Accountability Act (HIPAA) was created to keep people safe in the digital age by securing their information while in transit and at rest in storage. Traditional fax transmission technology over copper wires handled this important function admirably.

Today, most health care companies are phasing out these traditional fax technologies and moving to IP fax solutions for a variety of reasons: cost, flexibility, scalability, etc. This transition is inevitable for most, however, not all IP fax solutions are optimized for HIPAA.

A mistake in fax communication could have dire consequences. For instance, 80% of serious medical errors involve miscommunication between caregivers during the transfer of patient health information, according to The Joint Commission.That includes miscommunications due to missed or delayed faxes containing patient referrals, records, prescriptions or other sensitive data.

To ensure the individual’s information is secure and protected, check that your IP fax solution has real-time data transfer, page-by-page confirmation, data encryption, and scalability.

The underlying data transfer technology most effective in complying with HIPAA is called T.38, an Institute of Electrical and Electronics Engineers standards-based protocol. Existing fax technologies making use of traditional copper wire transmission can be easily, seamlessly, and cost effectively transformed into T.38 based technologies. Whether these are standalone technologies or technologies that integrate with existing business and communications solutions – including EHRs ­– they continue to communicate successfully with those on the remote end and further improve, with a T.38 transformation, by reducing costs, providing scalability and strengthening security.

When deciding on a fax solution, choose T.38-based solutions to ensure you get the following capabilities:

Real-Time Delivery

Health care organizations can’t afford to have communications fail, become delayed, or get buried in an inbox. Achieving HIPAA compliance is far easier with real-time vs. “store-and-forward” faxing. Real-time sends faxes immediately (in real time), while store-and-forward stores data in an intermediary station before forwarding it to the recipient. Real-time delivery prevents messages from being compromised, hacked, or dropped along the way. Data goes directly from sending server to receiving server.

HIPAA recognizes the security difference between real-time and store-and-forward faxing and requires that health care providers and their fax service providers assume liability if they use store-and-forward fax systems. Both parties must sign a legal agreement called a Business Associate Agreement since there is a higher risk of privacy and compliance breaches when using store-and-forward faxing. This makes it more complicated to get your IP fax solution up and running, and can cause substantial delays to your IP fax transition project.

To avoid this, health care providers can simply choose to use real-time faxing. Real-time fax transfer meets HIPAA guidelines for data transmission under the “conduit exception,” which eliminates the need to sign a BAA with the service provider.

Instant Confirmation

Verifying receipt is critical. Real-time IP fax provides immediate, page-by-page confirmation of arrival. It transmits data directly from sending server to receiving server through a “digital handshake,” without relying on any device in the middle to store and forward the information. That makes T.38 IP fax ideal for health care offices that need comprehensive, end-to-end security when faxing sensitive, private documents. The page-by-page confirmation received is true and accurate.

Encryption

Encryption builds another layer of security into faxing and is useful in complying with HIPAA, which requires that doctors have safeguards in place to protect sensitive information, such as medical records and personal health information. It’s important to note that not all encryption is equal. Many fax providers encrypt just the signaling, or encrypt the media and signaling through methods that add significant cost and/or compromise delivery success rates. Make sure your provider encrypts both the signaling and media.

Scaling for Growth

With a service provider using T.38 IP fax, scaling an existing system to support a new office or dozens of additional facilities around the globe is relatively straightforward. Adding new line capacity will be the lowest cost factor in the entire expansion initiative – and without any downtime or business disruption.

Correctly evaluating IP fax solutions is crucial to properly handling Protected Health Information and maintaining HIPAA compliance. Caregivers are going to continue relying on fax for communication so it’s important to choose the most secure and reliable IP fax solution.

Elinor Johansen is the SVP, CMO, and head of U.S. Sales at Cloudli. She helps businesses discover their potential with Cloudli’s future-focused solutions and brings over a decade of experience in telecommunications and SaaS evangelization, including marketing leadership roles and with Intrado Enterprise Collaboration and Life and Safety, Cogeco Connexion, and viiz communications.