In the last 30 years, many countries have introduced legislation to ensure patient record confidentiality. One notable initiative was the Privacy Rule portion of HIPAA (Health Insurance Portability and Accountability Act), enacted in United States in 1996. The security provision of HIPAA demands that healthcare providers take reasonable care to protect the confidentiality of protected healthcare information (also known as PHI).
IT professionals in the healthcare industry have found HIPAA compliance to be an ongoing challenge, as they have to figure out how to securely authenticate, transmit and store confidential medical documents and patient data. In fact, an entire industry has grown up around products and services designed to help organizations meet the HIPAA data protection requirements. This plethora of rules and regulations might lead the public to believe that their medical secrets are safe, but the sheer amount of data makes security a daunting task.
There are well over one billion healthcare visits per year in the US and each healthcare interaction generates data about patients that is used, shared and analyzed. Effective healthcare requires this data to be routinely shared among general practitioners, specialists, clinics, pharmacists, hospitals, health insurers, governmental agencies and others. These one-billion-plus healthcare visits result in an estimated 30 billion healthcare transactions per year. 1 Conservative estimates say half of these transactions are fax-based.2
It was once thought that standalone fax machines would be replaced with email messaging. But email can’t always guarantee to be as secure a form of communication as faxing. For example, an email message and its content might be archived on any number of servers. Email transmission of information also runs into problems with compliance agencies and regulations, such as HIPAA, that require greater security. Unlike emails, a fax cannot be used to carry a virus, phish or harm a company’s network security.
It’s estimated that there are about 125 million fax machines in use in the world today, and close to six million new purchases each year.3 According to a 2012 survey, 85 per cent of U.S. businesses make use of faxing in some form.4
There are three main reasons why faxing is still important to organizations:
To obtain a phone line and a fax machine is still the simplest and least technical way for a healthcare provider to begin communicating with the outside world.
Many companies, especially those in the healthcare, legal and insurance space, are required to transmit medical documents and patient data via fax because of compliance concerns.
Companies are maintaining legacy applications, such as purchasing and billing systems, which are only able to transmit a document via fax.
Because faxing will be around for the foreseeable future, health care providers are looking for ways to securely transmit protected health information (PHI) via fax. Unfortunately, using a traditional fax machine can be a cumbersome process to create HIPAA-compliant faxes.
Faxing is explicitly named in the HIPAA code as an acceptable method to transmit medical records, test results and other healthcare information and instructions.5 Its Privacy Rule allows health care providers to transmit confidential information as long as they use “reasonable safeguards.” While the definition of a “reasonable safeguard” can unfortunately vary, one certainty is that transmitting a HIPAA compliant fax is difficult using a traditional fax machine.
When using a traditional fax machine, providers must be extremely cautious and establish strict faxing protocols to avoid a security breach. Simply keying in one wrong digit on a fax machine could send protected health information (PHI) to an unintended destination. The HIPAA journal reported that seven doctors’ offices in Texas accidentally faxed PHI to the wrong fax number.6 Names, medical histories, medical results and other types of PHI were sent to a local radio station. One of the highest compliance fines assessed were due to HIPAA violations – the New York-Presbyterian Hospital and Columbia University for $4.8 Million.7
HIPAA guidelines suggest confirming unknown fax numbers before sending, though this may be difficult for larger healthcare institutions that have hundreds of individual fax machines in use.
Limits vary by jurisdiction, but a common requirement is to hold patient treatment information, such as medical results, for seven to ten years. The actual time may even be longer. An institution may need to keep records of a minor until the patient reaches the age of majority for the jurisdiction.
These legal retention requirements are challenging for paper-based records such as faxes. Printed patient files can take up considerable space. They may be lost due to theft or disasters (such as fire). Printed ink pages can degrade within the legal archiving time requirement. Additionally, searching for information is time-consuming if done manually. An institution also runs the risk of faxes not being attached to a patient’s record when required to produce proof of information.
Some PHI safeguards for traditional fax machines include:
Confirm the fax number with the intended recipient when faxing PHI to a telephone number that is not regularly used.
Call the recipient to make sure their fax machine is not in a public area and is in a protected location.
If you know you will be receiving PHI via fax, ask the person faxing you to give you advanced notice so that you will be around to immediately remove the pages from the fax machine.
Pre-program frequently used numbers directly into the fax machine to avoid misdialing.
When faxing PHI, don’t leave the fax machine until the transmission is complete.
Use printed cover sheet pages with the approved HIPAA statement for all PHI faxes.
Include a confidentiality statement on fax cover pages when the fax includes PHI.
Keep an accurate audit trail of every fax involving PHI to avoid fines for non-compliance.
Working with traditional fax machines to produce HIPAA compliant faxes adds a burden to an already heavy workload for frontline staff. Because of this, many health care providers are turning to web-based electronic faxing – using faxing software and network fax servers – to better ensure HIPAA compliant faxing.
Network faxing is designed to work with existing systems and use an organization’s existing network. It needs no dedicated phone line or fax machine. It needs no paper, no ink and no human monitoring. Network faxing enables staff to fax from Electronic Healthcare Record (EHR) applications, Project Management (PM) software, their desktop, from office applications by email, a Customer Relationship Management (CRM) platform and many other applications.
Network faxing eliminates many of the issues that traditional fax machines have in creating HIPAA compliant faxes:
Faxes are received electronically, eliminating the problem of faxes on the fax machine for anyone to read.
The process of manual phone dialing is removed, so sending a fax with sensitive information to the wrong fax number is greatly reduced.
Cover sheets with the approved HIPAA statement for all PHI faxes can be automatically programmed into an electronic fax.
No longer do faxes have to be scanned before being entered in an EHR application.
Staff efficiency is increased, since no one has to wait to scan and monitor the faxing process.
Medical practices that use network faxing are reporting efficiency savings of up to 80 percent.8
Network faxing software can catalog, index and archive faxes automatically.
The risk of losing or misfiling a fax is exponentially reduced.
Network faxing, along with electronic archiving, enables easier tracking and retrieval of past faxes – creating an accurate audit trail of every fax involving PHI.
Medical providers can search their archive database to know who received communications and when.
Faxes are stored more securely.
Some network faxing software can even monitor all types of communications and even block any information from being sent if this is against regulations or hospital policies.
GFI FaxMaker is a network fax server software that enables email to fax and fax to email for Exchange and other SMTP servers in a secure, encrypted environment.
Faxing protocols make it nearly impossible to intercept a fax in mid-transmission – making it more secure than email. Electronic faxing with GFI FaxMaker makes it easy to access this more secure protocol.
An organization can install the GFI FaxMaker fax service as a physical, on-premise service with a standard fax modem; as a virtual Fax over IP (FoIP) through a gateway or VoIP phone system, or through Hybrid faxing with no equipment but integrated with a cloud-based faxing system.
GFI FaxMaker is not only popular in the healthcare industry because it acts as a HIPAA compliant fax service, but also because of its ease of use:
Users can sign in to the GFI FaxMaker web client, fill in fax content on-screen, add attachments and simply click send.
GFI FaxMaker allows users to fax directly through an email application. Simply start to compose an email and in the “To:” box enter a fax number with “@faxmaker.com” at the end. Fill out the subject line, add body content and attachments and send.
Incoming faxes pass through an OCR (optical character recognition) module that makes it possible to search in the fax body. This feature is useful when older faxes have to be retrieved.
It provides features such as API, SMS alerts and digital signatures.
A companion to GFI FaxMaker is GFI Archiver. Healthcare facilities have to employ fast, safe and efficient storage software for faxes and other PHI records. Archiving can all be done with GFI Archiver. The system allows for intelligent reporting, and it is already configured to run reports that comply with HIPAA and other record confidentiality mandates.
GFI FaxMaker trial
Try GFI FaxMaker fax service free for 30 days with access to all GFI FaxMaker features and customer support.
Faxing efficiency through automation
See why in many countries, faxing is still the only way of sending compliant documents electronically.
Faxing in the healthcare industry
Watch this quick video to find out more about faxing in the healthcare industry.
Integrated network faxing key to improved productivity and information security
Download this white paper and discover how network faxing reduces labor costs and increases information security.
Integrated network faxing key to improved productivity and information security. GFI white paper. 2011.
Survey: 85% of US Businesses Rely on Fax Technology. David Kelleher blog - November 8, 2012.
Does the HIPAA Privacy Rule permit …. hhs.gov Q&A - November 3, 2003.
Faxing Error Sees PHI Sent to Local Media Outlet. HIPAA Journal - Feb 16, 2017.
New York-Presbyterian, Columbia to pay largest HIPAA settlement: $4.8 million. Modern Healthcare article - May 07, 2014.