HIPAA

Efax - HIPAA

  • 1.  Efax - HIPAA

    Posted 09-23-2020 03:47 PM
    Can someone enlighten me on the HIPAA guidelines for efaxing?  Before electronics, we would have a fax cover sheet and would include legal language for confidentiality purposes.

    Now with faxing being electronic, are we required to include that same language?

    If we are required to and you know the reg. or can point me in the direction of the citation, I would greatly appreciate your help.

    ------------------------------
    Brian Haines
    Corporate Compliance Manager
    ------------------------------
    19th Annual CEI Virtual Conference


  • 2.  RE: Efax - HIPAA

    Posted 09-24-2020 08:47 AM
    HIPAA doesn't address faxing. You would consider things in the regs such as assessing your risk and safeguarding PHI, so to answer your question, yes, I would think it reasonable to follow a similar work flow.

    ------------------------------
    Brenda Manning J.D., C.H.C., C.H.P.C.
    Privacy Director
    Interim Privacy Officer
    Carilion Clinic

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------

    19th Annual CEI Virtual Conference


  • 3.  RE: Efax - HIPAA

    Posted 09-25-2020 09:46 AM
    Greetings:
    With all due respect, the HIPAA Privacy and Security Rules require covered entities and business associates to use a risk based approach to safeguard PHI that is transmitted and received by"fax". Where we seem to stumble is "fax" technology has changed dramatically since the development and implementation of the Rules. As we know, the Privacy Rule's Administrative Requirements call out for covered entities to develop and implement administrative, technical and physical safeguards to protect PHI in all forms. See 45 CFR 164.530(c)(1).

    The Security Rule requires that covered entities and business associates have appropriate risk-based safeguards to protect electronic PHI.  When the SR was originally implemented, the definition of e-PHI "Electronic Media" excluded "fax" transmissions. The state of technology when the rule was proposed in 1998 and finalized in 2003 was such that the fax transmission started as paper fed into a transmitting machine, transmitted over the analog copper-wire telephone network, and reproduced by the receiver machine as a paper record.  HHS classified these records as substantially the same as paper records which were in scope of the protections provided by the Privacy Rule.

    With the revisions published in the Omnibus Rule changes published in 2010, the definition of Electronic Media (45 CFR 160.103) was modified to protect the carve out for fax transmissions that start as paper and end as paper.  However, data transmitted from an stored as electronic data or transmitted through an electronic device (multi-function printer) via facsimile technology; or, upon receipt processed and stored as electronic media is ePHI.  The net effect is that most "fax" transmissions involve an information system; and the equipment involved in the processing, transmission and maintaining data are within the scope of the current HIPAA Security Rule.

    Bottom Line:  Faxes that start or end as data in an information system must be treated as any other ePHI protected under the Security Rule.  Faxes that start and end as paper are subject to the Safeguards Standards or the Privacy Rule.

    David Holtzman
    Cave Spring High School
    Class of '77

    ------------------------------
    David Holtzman
    Principal
    HITPrivacy, LLC
    Germantown,MD
    ------------------------------

    19th Annual CEI Virtual Conference


  • 4.  RE: Efax - HIPAA

    Posted 09-25-2020 09:59 AM
    Thank you David, this was very helpful.

    ------------------------------
    Brian Haines
    Corporate Compliance Manager
    ------------------------------

    19th Annual CEI Virtual Conference


  • 5.  RE: Efax - HIPAA

    Posted 09-25-2020 10:06 AM

    Thank you for explaining that so I could understand it!

    Cinda

     

    ******************************************* This message and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.



    19th Annual CEI Virtual Conference


  • 6.  RE: Efax - HIPAA

    Posted 09-24-2020 04:28 PM

    Hi Brian, If you browse around on this site for "Email disclaimers"  you will find all sorts of conversations on email disclaimers specifically but the logic I believe transfers to  E- fax as well.

    Here is a  particularly good thread that covers the topic. 

    https://community.corporatecompliance.org/communities/community-home/digestviewer/viewthread?GroupId=121&MID=21384&CommunityKey=203b998d-883b-4b20-8230-39f63565eadb&tab=digestviewer



    ------------------------------
    Cecelia Havens, MBA, CHC
    Project and Compliance Director
    APO
    Springfield, MO
    ------------------------------

    19th Annual CEI Virtual Conference