Mobile Fax Apps and HIPAA Compliance

The following is a guest article by Doug Clayton from WestFax.

When smart phones first appeared on the scene in the mid 2000s, IT administrators struggled with a new challenge; an entire category of new devices capable of storing confidential information began to proliferate.  Although the general problem of mobile security can be effectively managed by observing some basic security practices, organizations that deal with PHI need to take extra care in safeguarding patient information protected by HIPAA.

Fax represents a large amount of data that is shared between hospitals, doctors, insurance companies, and other healthcare organizations. As we know, digital cloud fax is highly secure, flexible, and easy to use. For organizations that are sending and receiving Protected Health Information (PHI) and other confidential data, however, special precautions need to be taken, especially with regard to the use of mobile devices.

Accessing faxes from a mobile device conforms to HIPAA requirements, provided that certain policies and procedures are followed.

The general overriding principles for HIPAA compliant use of mobile devices are:

  1. Information should never be forwarded without the patient’s consent.
  2. Data should not be accessed or stored any longer than needed.
  3. Data should be encrypted to provide an additional layer of safeguarding against breach of confidentiality.
  4. Follow general standards for mobile device security

Begin by ensuring that users are following standard security practices for mobile devices. Most of us are familiar with these rules; for example, users should prevent unauthorized access to their devices by using a secure password. Users should also apply software updates and patches promptly; as soon as they become available, and avoid connecting to unsecured Wi-Fi networks, especially when viewing data that may be sensitive or confidential. 

Finally, mobile device users should be careful about downloading and installing apps that they have not researched in advance, as many mobile apps have been the source of malware. This happens more on Android than Apple phones due to the more open nature of the Android Play store.

While many of us know these rules well and follow them consistently, healthcare organizations should not assume that everyone follows good mobile security practices. That’s why it’s important to regularly train users in basic security practices. This is especially true if employees are using their personal device at work.

If you are a medical professional that needs to review a fax remotely then a mobile device is an easy and convenient option. The key security concern is how one retrieves the fax. 

Using the mobile browser to go to the fax provider website is probably not the best idea. Mobile browsers save files in various places on the device and ePHI data can leak. It’s why most EHRs and serious cloud fax providers offer a mobile app to ensure content is secure inside it’s ecosystem.

Sending a fax via mobile can be achieved in several ways. Using Email to fax is one option that is very popular as it is essentially just sending an email that gets converted into a faxed document. It may be easy but it might not be the most secure way to send a fax. You can’t be sure your connection is 100% encrypted from point to point and you now have a message with ePHI sitting in your sent folder. 

It makes more sense to use the native app and send it through a secured connection. At WestFax we utilize a secure API connection using TLS 1.2 which is the standard for secure connections and provides completely secure transmission of fax data. 

Your cloud fax provider should be able to answer the question if they are HIPAA compliant. WestFax has apps for IOS and Android that adhere to all HIPAA compliant handling guidelines but HIPAA compliance is more than a mere technical solution. The burden falls on the user to adhere to best practices and policies to ensure that no PHI is exposed or leaked when utilizing mobile devices and for organizations to set those guidelines and manage compliance.

About Doug Clayton

Doug works as a Senior Analyst for WestFax, Inc, a Colorado based cloud fax provider specializing in HIPAA secure fax. Doug started his long career helping the DoD convert legacy logistics software from mainframes to modern stacks. He also worked on currency conversion systems at the World Bank in Washington DC and consulted for many leading non-profits based in the DC area. At WestFax he wears many hats ranging from devops, sales, engineering to developer relations. You can find Doug on LinkedIn.

WestFax is a proud sponsor of Healthcare Scene