The Hidden Risk of Faxing Sensitive Documents
Imagine if incorrectly faxed information led to revealing a critical patient condition to the wrong party?
That’s exactly what happened at this New York Hospital: https://www.hipaajournal.com/new-york-hospital-sued-for-disclosing-patients-hiv-status-to-employer-8964/
Fax is a useful and necessary tool for today’s healthcare offices, but faxing can be a ticking time bomb of HIPAA risk.
All it takes is for one employee to enter one wrong fax number and send a fax to the wrong person or for you to accidentally leave a document on the fax tray and…
Without even realizing it, your office is now in violation of HIPAA.
HIPAA breaches are taken very seriously, and the results are disastrous. Fines are extremely costly and you and your team can lose your licensing.
Do Any of the Items Below Apply to You?
You or your team has sent a fax to the wrong number.
You have left faxes on the machine after they have been sent or received, thus exposing the information to anyone who reads it.
You have no audit trail of faxes being sent and the users that have sent them.
You and your team routinely send faxes without a confidentiality notice.
You haven’t validated the security of the phone line you are using to send faxes–leaving each transmission open to being stolen.
These errors can lead to unauthorized access to all the sensitive documents, posing significant risks to data security and compliance.
Sending information via fax might seem like a simple thing to do, but how do you know that you are not breaking the law?
What are HIPAA breaches?
The Enforcement Rule of 2006 outlines the cost for each violation. Suffice to say you are looking at a minimum of $25,000 per violation with most fines topping $200,000.
So what are HIPAA violations and how do they occur?:
A HIPAA violation is when an entity (like you or your clearinghouse, your team members, or anyone else who is authorized to handle PHI) fails to uphold any of the rules outlined in the HIPAA Rules.
It does not matter if it was accidental or intentional; you are on the hook either way. Accidental breaches might happen if too much personal information is disclosed when only a little bit would do. Intentional violations are when you or your team knowingly discloses and provides information to anyone except for the intended recipient.
That means that you are responsible for everything that your team says does, and any omissions, like guarding information.
Data Security Concerns with Modern Fax Machines
Modern fax machines have become indispensable tools for transmitting sensitive documents securely. However, with technological advancements, data security concerns have also escalated. Many modern fax machines come equipped with memory storage, capable of storing incoming and outgoing documents, including sensitive data such as medical records and financial information. If this data is not stored securely, it can be accessed by unauthorized personnel, posing significant risks to both individuals and organizations.
One of the primary concerns with modern fax machines is the storage of sensitive documents in their internal memory. Many fax machines have limited storage capacity, which can lead to data being stored for extended periods. This becomes particularly problematic if the fax machine is not regularly cleared or if the data is not encrypted. Moreover, if the fax machine is not properly configured, sensitive data can be accessed by unauthorized personnel, either intentionally or unintentionally.
Another critical issue is the transmission of sensitive data over a phone line. While many modern fax machines use secure transmission protocols, such as TLS or SFTP, there is still a risk of interception or eavesdropping. This risk is heightened if the fax machine is not configured to use secure transmission protocols or if the phone line itself is not secure.
To mitigate these risks, it is essential to implement best practices for secure faxing and data security. This includes regularly clearing the internal memory, encrypting sensitive data, and configuring the fax machine to use secure transmission protocols. Additionally, access to the fax machine and the sensitive data it stores should be restricted to only authorized personnel. By taking these steps, you can significantly reduce the risk of data breaches and ensure that all sensitive documents are stored securely.
The threat of local device breaches to data security
Year after year, the number one cause of HIPAA data breaches stem from a lack of security.
Most healthcare companies do not realize that physical fax machines store unencrypted fax data–retrievable by anyone with physical access.
A golden rule applies:
Above all, remember that it is absolutely a terrible idea to store information locally on any device within your office.
Instead, you should rely on storing health data in secure, off-site HIPAA compliant data centers.
Because these centers should have limited access as to who can retrieve the health information you store there.
An 80% Solution for Physical Fax Machine Users
If you are set on sticking with physical fax machines then there are some practical things you can implement to dramatically improve your HIPAA compliance.
Note that these are not exhaustive and there is never a 100% way to automatically comply–you must be always be careful when relying on physical machines
Steps to ensure compliance:
Never let the fax machine in your office hold even one fax – There should be zero chances for someone to walk by and see what is in the tray unless they are the stated and recorded recipient of the information.
Make sure to place your machine in a place that is secure and closely monitored – It is too easy for someone to snag a piece of paper and run off with it without anyone knowing. It’s best if you keep a log of people entering and exiting the fax machine room.
Always use cover pages that block and obscure the PHI on the enclosed pages – This is a HIPAA requirement, and if you do not do it, you are in severe violation and can be subject to fines.
There needs to be an approved confidentiality statement included in your cover letter too – This is a HIPAA requirement, and you have to have it clearly marked and visible on each and every fax you send.
A 100% Solution Using the Cloud
Cloud-based faxing applications like Documo offer an attractive alternative to physical fax machines.
Not only does Documo provide quicker workflow and more reliability than physical fax but they also fill many of the HIPAA holes created by physical fax:
Cloud fax provides complete audit trails of faxes being sent and received – Eliminating the need for physical storage of fax logs
Cloud fax provides individual user accounts and access to prevent unauthorized users from viewing faxes
Cloud fax stores fax data in secure servers in the cloud and relies on Tier-1 telecom to transmit the faxes instead of your local phone line
Cloud fax has workflow features that allow you to automatically add cover pages and HIPAA statements to each document being faxed
Cloud fax contains contact records and is easy to error-check prior to sending faxes–reducing the odds of sending to an incorrect number
It’s your choice but realize the stakes
The last thing you want or need to violate is something that is corrected easily and quickly.
Faxing documents to the wrong number and having a fax machine in a place where anyone can look at the information coming through is easy to prevent.
We know that old habits die-hard. It might seem like an impossible goal to redesign your information workflow and eliminate your reliance on fax machines.
Instead of trying to recreate the wheel, finding ways to make your faxes safer will help prevent violations from happening in the first place.
To get started email one our experts at Documo or call us about switching to the security of a cloud-based faxing solution.