Faxing: How to Stay HIPAA Compliant When Working Remotely

The following is a guest article by Doug Clayton from WestFax.

There are thousands of articles on the internet about how to best work remotely from home. What has not been covered is faxing from home, especially when it relates to faxing medical records or Protected Health Information (PHI)

Utilizing a HIPAA Compliant cloud fax service
Let’s go over what makes a fax service HIPAA compliant. There are several key factors to consider. The first and foremost is security. Below are some of the questions that should be asked to understand how secure the fax service is. Do they utilize a secure data center? Are faxes encrypted in transit and at rest? Do they utilize TLS 1.2+ for web communications? Do they provide details on their security and the methods they use to ensure security? Are they willing to sign a Business Associate Agreement (BAA)? What is their data retention policy? Is data retention configurable for your HIPAA requirements? Do they provide confirmation that a fax has been sent or received? These are all critical questions to ask of any cloud fax provider that claims to be HIPAA compliant. The provider should be able to satisfy all of these requirements; otherwise, you should move on to another service provider.

Cover pages
The same rules for working in the office apply to working from home. All faxes that contain PHI must have HIPAA approved cover pages. Be sure to prepend it to all outbound faxes that contain PHI. Do not use standard fax cover pages that come with MS Word. HIPAA Compliant cover pages have specific requirements.

One fax line may not suffice
If your office fax machine was used to send PHI, as well as routine company documents, then extra care must be taken when moving to online fax. One of the main benefits of having a cloud fax system is having access to the sent and received faxes from anywhere. While this is an obvious benefit for remote workers, there is a downside:  Staff who may not have clearance to see certain PHI might unintentionally view faxes they are not authorized to see. Therefore, it is better to add a second fax number and allocate that line for non-HIPAA faxes, instead of using one line to fax both HIPAA and non-HIPAA materials. Most cloud fax providers charge a small fee (usually less than $5) for an additional line; but that fee is much cheaper than one would incur with a HIPAA violation.

Printing and storage of fax documents
If your job requires having physical documents at home, via fax or otherwise, make sure that those records are secure at all times. 

Remote workers should have a locking filing cabinet or case to store PHI if they must maintain actual hard copy documents. When using a shared or family printer for printing, make sure to retrieve the print-outs immediately, and do not allow them to get mixed in with your kids homework or any other print jobs.

If your printer has an internal memory or some capability to reprint from memory, be sure to clear that memory frequently. HHS levied a record $1.2 million fine on a copier, retaining documents in the hard drive memory.

Receiving Faxes
It is very common with cloud fax to download faxes as .pdf documents. Saving these .pdf files to the hard drive requires precautions to ensure the files are secure.

Some web browsers will save the files in a download folder or a temporary location when downloading files from a fax web portal. You should open the downloads folder and move the files to a secure location immediately. Refrain from simply using CTRL-C to copy the files from downloads to your work folder. Move the files from the download folder to your work folder or directory so there are no duplicates floating around. You can also configure your browser to ask you where you want to save files before downloading them.

Also, clear your browser cache occasionally to remove downloaded temporary files.

Sending Faxes
You can send a fax in several different ways, depending on the fax service provider. One common option is to use Print to Fax drivers. This is essentially a virtual printer that connects to your fax service. You simply  print as usual, but you need to select the “fax print” driver instead of your printer; you will then follow the prompts to send the fax.

Online web-based fax portals are adequate as well. However, you must ensure that the portal employs https and that you are not on an open or public wifi network. 

Some cloud providers offer “Email to Fax” service. If sending a fax via email is an option, please consult with your IT staff to ensure that your email server is securely connected to the email server of the fax service provider. When in doubt, ask the IT staff. If you are not sure, refrain from sending a fax via email.

Recycling bins
Almost all modern operating systems keep files in the recycling bin before  deleting them permanently. 

Depending on the computer, the files may stay around for weeks, months, or even years before being purged. Therefore, you should empty the recycling bin on the computer at the end of  your work day or configure your machine to delete files right away instead of sending them to the recycle bin.   

If you have hard copy paper documents that need to be destroyed, a HIPAA compliant shredder should suffice; shredded paper can then be recycled appropriately. Note that HHS has published guidelines on how to properly dispose of PHI. 

In summary, handing faxes at home is no different than faxing at the office. The main difference is that you are not in an office with a level of built-in security. Family members, roommates, and others might be sharing your space, and you must diligently handle PHI in a secure and safe manner to avoid unintentional disclosure and potential HIPAA violations. 

Faxing from home is convenient and faster than using the conventional fax machines at the office. At WestFax we have seen an increase in people signing up for HIPAA-secure fax services during the recent weeks and found that many users are happy with the ease and simplicity as compared to  the hardware-based machines they used previously. 

An unintended benefit of the COVID-19 pandemic might be that many organizations that handle health-related information will move forward with upgrading their IT infrastructures to be more capable, flexible, and resilient.

About Doug Clayton

Doug works as a Senior Analyst for WestFax, Inc, a Colorado based cloud fax provider specializing in HIPAA secure fax. Doug started his long career helping the DoD convert legacy logistics software from mainframes to modern stacks. He also worked on currency conversion systems at the World Bank in Washington DC and consulted for many leading non-profits based in the DC area. At WestFax he wears many hats ranging from devops, sales, engineering to developer relations. You can find Doug on LinkedIn.

WestFax is a proud sponsor of Healthcare Scene