Faxes and the security rule

March 4, 2005

Are faxes containing protected health information regulated by the HIPAA security rule?

Q: Are faxes containing protected health information regulated by the HIPAA security rule?

A: No. Regular paper faxes aren't considered protected health information under the rule, which only covers information in electronic form. But when someone requests information from a computer, through either a voice or telephone keypad command, and that request is returned as a fax, the communication is covered under the security rule. This isn't because "faxbacks," as they are known, have computers in them but because they are used as an input and output device for computers.

According to the government, "employment of telephone voice response and/or faxback systems will generally require security protection by only one of the parties involved, but not the other." The party that must protect the information is the one responding to the request, since the information she is returning is "already in electronic form and stored in a computer."