HIPAA-compliant Alternatives to the Fax Machine

September 5, 2012

Here are some slicker, more economical alternatives to the fax machine for your medical practice, especially when it comes to following HIPAA rules.

It is hard to imagine medical office operations before the widespread adoption of fax machines in the 1980s. It may be almost as hard to imagine the current practice of medicine without the trusty fax machine, but it is time to try. In 2012, it just feels silly to spend time and money printing an electronic document from a word processing or EHR system so that it can be converted into an electronic graphic image, aka fax, to be transmitted to another office.

At the other end of the transaction, what value does it add to print an incoming fax on paper and then convert it to an electronic image for permanent storage? In both cases the paper must be filed or shredded after it has served its purpose as a vehicle.

The HIPAA Security Rule is one of the most attractive reasons to retain the traditional fax machine. While the HIPAA Privacy Rule applies to all protected health information (PHI), the HIPAA Security Rule applies only to electronic PHI (ePHI): PHI that has been created, received, maintained, or transmitted electronically. Facsimiles are specifically exempted from the Security Rule, as is any PHI that was not electronic before its transmission such as a telephone call between two persons or a voicemail.

There are numerous alternatives to the traditional fax machine, each with particular attributes that bear consideration.

E-mail or as an attachment to an e-mail

Some common advice is to put nothing in an e-mail that you would not write on a postcard. Information transmitted over the Internet travels unpredictable routes and is stored in places over which you have no control, clearly unacceptable for PHI.

An attachment including PHI can be acceptable, provided it is encrypted or password protected. For the recipient to access the file he must have the encryption key or password. The problem becomes not the security of the information, but coordination with the recipient so that he has the key or password.

Electronic fax service

An electronic fax service is a special case of using an encrypted e-mail attachment. The user encrypts the file by using the service's proprietary program, and sends the encrypted file and the recipient's fax number to the service. The service decrypts the file and sends it to the recipient as a traditional fax. An incoming fax is initially delivered to the service, which encrypts the fax and sends it to the recipient as an email attachment.

A Business Associate Agreement (BA), required by HIPAA, is essential when using these services. Not all of the services will provide a BA and few offer one in the absence of a specific request. The services also vary in price between two and eight cents per page, with or without monthly or annual subscription fees. Since the pricing models are not standard and because they are dependent upon usage, it is especially important to understand your current fax volumes before choosing a service.

Delivery via website

This is the delivery model many banks use with their Internet banking. When information needs to be delivered, the sender uploads the file to a secure website and sends a notification e-mail to the recipient. The recipient logs onto the website and retrieves the file.

The security is good. An extra benefit is that the document can be data as well as or instead of just an image.

Convenience is an issue. The sender must give the recipient permission to register on the website, and the recipient must register and maintain a password for the account. Each 'fax' is a two-step process for both the sender and the recipient.

As for electronic fax services, a Business Associate Agreement is essential.

Fax server

A fax server works much like an electronic fax service. It intercepts faxes coming in on a telephone line and delivers them to a specific website as an attachment to an e-mail. Outgoing faxes are an attachment to an e-mail directed to the fax server and including the fax number of the recipient.

It differs from an electronic fax service because it is managed by the clinic or office, and the fax server is behind the clinic or office firewall. The cost of the server and its installation are upfront costs, but there are no subscription or usage costs. Additionally, there is no need for a Business Associate Agreement.

All of these are proven models and in use in medical offices. Each, including the now old-fashioned fax, has advantages and disadvantages. The benefits of moving away from paper faxes, however, can be significant. Recapturing the counter space the current machine sits on is a bonus.

Find out more about Carol Stryker and our other Practice Notes bloggers.