A TechRadar article in January listed five pieces of technology that, despite being obsolete, refuse to die. To no one’s (or possibly a few people’s) surprise, fax machines are on the list. In the U.S., some industries still maintain this relatively old-fashioned equipment for taking or making calls and, more notably, sending or receiving documents.
Despite the Health Insurance Portability and Accountability Act (HIPAA) currently in effect, fax machines remain a staple of the healthcare office. Experts believe this is primarily due to the industry’s risk-averse nature. Apart from requiring money and time, transitioning to HIPAA standards may also involve some interruptions in delivering patient care.
Fortunately, HIPAA hasn’t deemed faxing non-compliant (at least, openly). This allowed the technology to evolve to incorporate modern security features, making online faxing HIPAA-compliant to a degree. Here’s a look at how online fax services can be secure and still meet the communication needs of organizations and medical professionals everywhere.
End-to-End Encryption
Whether to an individual or a different department or institution, HIPAA mandates a secure network for exchanging protected health information (PHI). The Act ensures an individual’s right to keep their information confidential and protected from unauthorized access.
Traditional fax machines use phone lines or separate fax lines to send and receive data, making them resistant to common threats like malware. However, both the data and the network lack encryption, a technology that wasn’t needed or didn’t exist when they were made. As such, perpetrators can intercept data in transit using techniques like wiretapping.
The result is that the recipient still gets their document, unaware that the perpetrator also has a copy. Cybersecurity experts state that stolen patient information is often sold on the dark web for up to USD$1,000. Sometimes, cybercriminals use the records themselves to assume the victims’ identities and purchase medical products at the latter’s expense.
To satisfy security demands, HIPAA compliant faxing solutions comes with encryption, specifically, Advanced Encryption Standard (AES). The most secure encryption protocol is AES 256-bit encryption, which protects data in a cipher. Even if the perp manages to seize the data, they can’t make sense of it without the correct decryption key.
While HIPAA doesn’t mandate encryption, it classifies the measure as “addressable.” It’s neither required nor optional, but should be implemented if deemed appropriate. And even if it were otherwise, “addressable” is treated as “required” in most situations.
Business Associate Agreement
An organization that must comply with HIPAA is classified as a “covered entity.” According to the Office for Civil Rights (OCR), a sub-agency of the Department of Health and Human Services (HHS), covered entities comprise the following:
| Healthcare Provider This category consists of doctors, dentists, clinics, and medical professionals or facilities that regularly send patient information in electronic format. |
Health Plan This category consists of health insurance carriers, HMOs, corporate health plans, and government-supported programs such as Medicare and Medicaid. |
Health Clearinghouse This category refers to any organization assigned with intermediary tasks such as processing billing or claims and providing digital health solutions. |
Despite their differences, all three share a need to access patient information. When a healthcare provider works with an HMO or third-party service to help with specific tasks, the latter is considered a “business associate” under HIPAA.
Therefore, HIPAA compliance requires that a covered entity and business associate enter into a business associate agreement (BAA). Under one, both parties have clearly defined responsibilities in the arrangement, from permitted PHI use and disclosure to reporting of potentially compromised patient data.
HIPAA-compliant fax services frequently render their services to healthcare organizations. As such, it’s reasonable for some to provide a BAA upon request as proof that they’ll handle sensitive health information in good faith. A breach of a BAA constitutes a HIPAA violation, which carries millions in penalties.
EHR Interoperability
Online faxing can be defined as the practice of “faxing without a fax machine.” Whether or not it can still be called faxing at that point is up for debate, but there’s no doubt that a vast range of devices can perform everything a traditional office/hospital fax machine does.
This evolution of faxing provides a solution to a key tenet of healthcare IT: interoperability. Back then, information sharing was hard because most healthcare systems kept precious data in silos or limited it to local access. It didn’t help that departments had to go through their storage to retrieve the patient’s paper-based records, which can be misplaced.
All this changed in 2009 when then-President Barack Obama signed the Health Information Technology for Economic and Clinical Health (HITECH) Act into law. It encouraged the use of electronic health records (EHRs) in place of paper ones through cash incentives.
EHRs fit HIPAA’s agenda of promoting interoperability among healthcare systems for many reasons. One of these is convenient file sharing, enabling users to send, receive, and open medical records on devices like desktop PCs and tablets. Medical professionals on duty no longer have to wait long hours to get a patient’s complete health profile.
Adopting a digital faxing solution capable of this level of interoperability is a step toward HIPAA compliance. The benefits to healthcare systems and their patients are extensive, from delivering the right care to extending care to families who have lost loved ones.
Administrative Access
Security breaches are often a two-way street. Perpetrators may use sophisticated tactics to force themselves into a system. But they also frequently rely on someone from the inside, whether a mole or unknowing victim, to help them. In the end, humans remain the weakest link in a healthcare organization’s security (or any organization for that matter).
Mitigating such a risk involves providing varied levels of access to staff based on their role, known as role-based access control. For example, billing staff should be limited to records that show billing and claims data, while only doctors should be eligible to edit record data.
Today’s faxes differ from traditional fax machines in terms of capability. Document management is a common feature in HIPAA-compliant Internet fax services, allowing users to track EHR access and movement history. Organizations can identify the last user to open the file, the date and time last accessed, and even details on the file’s recipient.
Conclusion
Faxing isn’t about to conflict with HIPAA anytime soon, though traditional fax machines are on their way out. Online fax systems outperform their traditional counterparts in almost every aspect, starting with patient data security. Healthcare organizations seeking to retain their HIPAA compliance would benefit from investing in online fax services.
