Hipaa compliance policy

In the healthcare industry, the use of fax machines remains prevalent despite advancements in technology. It is considered a trustworthy way of exchanging confidential information between medical providers.

As per Bloomberg Law, 70% of healthcare institutions still rely on fax. The lack of standardization in proprietary data formats among large health platforms makes it difficult for providers to share information, making fax a critical intermediary in this scenario.

Fax is still evolving:

As communications become more internet-centric, healthcare organizations are looking for modern solutions that meet applicable regulations (as discussed below) and user needs.

The shift away from the traditional Public Switched Telephone Network (PSTN), coupled with advancements in fax technology, has helped force this issue.

How HIPAA Regulates Faxing:

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (the “Privacy Rule”) is the national standard for protecting a patient's medical records—including when transmitted via fax.

The Privacy Rule permits certain uses and disclosures of protected health information but only if the disclosing party has (1) applied reasonable safeguards and (2) implemented the minimum necessary standard, where applicable.

  • A covered entity must have in place appropriate administrative, technical and physical safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as well as that limit incidental uses or disclosures.

Reasonable safeguards will vary from covered entity to covered entity depending on factors such as the size of the covered entity and the nature of its business.

  • Covered entities also must implement reasonable minimum necessary policies and procedures that limit how much protected health information is used, disclosed and requested for certain purposes.

These minimum necessary policies and procedures also reasonably must limit who within the entity has access to protected health information, and under what conditions, based on job responsibilities and the nature of the business.

Since faxing is still the primary vehicle for transferring protected health information between providers, it is imperative that providers follow HIPAA regulations and implement reasonable safeguards.

How Real-Time Faxing Achieves HIPAA-Compliance:

There are two competing offerings in modern Fax-over-IP (FoIP):

  • "real-time" or
  • "store-and-forward."

The difference between the two is that real-time does not temporarily save the transmitted information at any point. T.38 FoIP is a form of real-time FoIP suitable for providers.

It is a fax service that can employ encryption for secure, real-time transmissions with confirmation of error-free transmission.

As discussed above, healthcare fax solutions must maintain reasonable safeguards in order to ensure that providers remain HIPAA-compliant when sending medical information via fax, including:

  1. Using only secure, real-time transmissions;
  2. Automatically encrypting faxes sent over the internet; and
  3. Delivering confirmation of error-free transmission.

Because real-time faxing using T.38 FoIP does not require the storage of protected patient data prior to transmission, there are fewer opportunities for data to be accessed or used in contravention of privacy laws.

Faxes sent over T.38 SIP trunks can have encrypted signaling and media, with no data stored on either end. This eliminates the possibility of a hacker altering or compromising the privacy of the content.

Additionally, to ensure the accurate transmission of all pages, leading fax providers leverage T.38 error correction. This increases the overall success rate of the delivery of information without retransmitting multiple pages.

Finally, real-time FoIP can provide confirmation of error-free transmission so both parties have evidence that no information was lost during transit.

Real-time fax using T.38 FoIP is the gold standard of HIPAA-compliant faxing. By design, it provides greater security around patient data in contrast to email and other online transactions.

Using a fax provider with T.38 error correction can also solve other healthcare communications issues, as the University Gastroenterology saw after switching to Telnyx.