Healthcare Organizations Warned to Interrogate Their Fax Service Provider

Austin, TX – June 1, 2011 According to SecureCare Technologies, whilst faxing is ubiquitous in the healthcare industry, many businesses are violating the Health Insurance Portability and Accountability Act (HIPAA) because they fail to understand that some fax service providers routinely use email to transport Protected Health Information (PHI).  Therefore, despite the healthcare company believing they are compliant, their clients’ documents are actually at risk from interception due to the shortfallings in the technical nature of email delivery.

Most of these care givers are negligent simply because they believe that they comply with the latest HIPAA encryption regulations by using a third-party provider to outsource sending, receiving and managing sensitive documents. However, with current penalties for such violations ranging from $25,000 to $1.5million, the healthcare provider would be wise to investigate their fax service in detail. After investigation, should an individual knowingly continue to use a non-HIPAA compliant fax provider and put its client’s health information at risk, they may face a criminal penalty of up to $50,000 and a one-year imprisonment.

The third-party providers of fax services may not declare that they actually employ fax-to-email or email-to-fax technology but SecureCare Technologies gives four key examples to highlight why this method is negligent, irresponsible and illegal for transferring PHI data:

  • The content of any email can be intercepted multiple times en route to its final destination as it is read and stored by ISPs, servers, firewalls, virus checkers and unscrupulous ‘bots’ that harvest email data. Additionally, IT staff may be able to access emails, perhaps using traffic monitors or packet sniffers (that look for particular content or key words), at any of the points at which an email might be stored or through which it transits.
  • It is not just the email content that is at risk: typically 30% of emails contain attachments which are also at risk at each and every stage above. Some fax-to-email or email-to-fax providers claim to use protocols that ‘encrypt’ the attachment but all this does is put a ‘wrapper’ around that document, which if decrypted means the unauthorized party has the entire document intact.
  • If an unencrypted email that contains PHI is sent across the internet, a violation of HIPAA may have occurred even if the email was not intercepted. The fact that it was available for review by an ISP or a third party is enough to expose penalties under HIPAA.
  • Fax-to-email or email-to-fax systems make it difficult, if not impossible, to track missing faxes. Often there is no genuine audit trail at all and there are major limitations in tracking document delivery.

Aleks Szymanski CEO, SecureCare Technologies said: “Organizations that wish to successfully compete in the healthcare sector must deploy appropriate technologies to protect documents and data, at rest and during transmission. Failure to do so not only risks day-to-day patient confidentiality but can also jeopardize an organization itself through potential fine, reduction in customer confidence and loss of business.”

For over ten years, SecureCare has been committed to ensuring the highest standards of data security and privacy. Sfax is the companies’ flagship product which meets the compliance requirements for the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX) and Graham-Leach-Bliley (GLBA). Sfax eliminates manual faxing and replaces costly and troublesome fax servers by removing the laborious process of printing, signing, re-faxing or scanning into an application – all with a complete audit trail.  It enables the user to handle more faxes at a lower cost with a smaller workforce while getting the ‘peace of mind’ of a proven secure faxing solution.