You’ve been tasked with utilizing a HIPAA compliant fax API for your company or client. You understand what fax is, but how do you make it HIPAA compliant? If you Google search HIPAA compliance you will see things like needing a BAA, cover pages, disclaimers, and massive fines for HIPAA violations. It’s a lot to take in and it may seem overwhelming.
In this primer, we’ll give you a high-level view of what HIPAA compliance means for fax and how your integration of a fax API can be HIPAA compliant with just a bit of planning and preparation.
First, let’s review some definitions of various terms you’ll see here:
Now that we have a common lexicon, let’s talk about the differences between a regular fax API and a HIPAA compliant fax API.
It Has to be Secure
HHS has put out minimum guidelines for HIPAA compliant communications. It would be unusual these days to see an API endpoint that is not protected with SSL, but in this case, you must connect with a TLS encrypted connection. An API endpoint must support TLS 1.2+.
But how do you determine if your fax provider complies with TLS 1.2 or greater? Using developer tools (under the view menu in Chrome), just open the API endpoint in your browser and click the “Security” tab. You’ll see the connection settings and it will tell you which version of TLS is supported. In the example below, TLS 1.2 is in place.
Sending a Fax
Sending the actual fax is the same whether you are complying with HIPAA or not. There is not an explicit fax setting for HIPAA. The mechanism for sending a fax is inherently secure which is why fax as a technology is still thriving in the healthcare space. The handling of a fax document before and after transmission is where proper planning and security is necessary and falls within the domain of HIPAA.
The fax document should be stored in a secure location before it is sent to the API for outbound processing. Care should also be taken to make sure that these documents are not stored in a cache or temporary directory after being sent.
Incoming Faxes Must Be Secure as Well
Receiving an inbound fax via API is also something that requires proper handling. In most cases, the sender will trigger a webhook on the recipient’s end, and the recipient’s system will respond by querying the sender’s API for the incoming fax document.
Once you have that document saved on a storage device, it must be properly secured and access is given only to users who have permissions to see it. It would be unwise to just send the fax document to a group email box or the print queue.
Most fax APIs allow email delivery of inbound faxes. This is not the recommended implementation as sending an unencrypted document via email opens the door to the fax in-transit being intercepted by spyware or malware. If sending a digital fax document via email is important, then the document should be encrypted before sending and then decrypted by the final recipient.
Fax Retention Periods
The storage of the sent and received fax documents must be managed carefully. Every type of document may have different retention periods. For example, if your fax documents are medical billing records that are seeking Medicare reimbursement, then the documents must be retained for 10 years by federal statute. Other types of documents have different minimum retention periods. You should do your research on what types of faxes are being sent/received and be sure to retain these documents on a secure server with appropriate access controls. The HIPAA retention requirements are available at 45 CFR 164.316(b)(2).
Don’t Forget The Cover Sheet
Almost all HIPAA compliant faxes require cover sheets. If you aren’t sure, cover it. Cover sheets are documents that have some metadata such as “To”, “From”, “Date”, “Subject” and the HIPAA disclosure disclaimer so that the receiving party knows what to do with the document. Any fax that has PHI should have a cover sheet in most cases.
Finally, Let’s discuss a BAA
All of this is moot if you don’t have a BAA with the fax service provider. As specified before, a BAA is an agreement between the covered entity and the provider of the fax service API. If a fax provider puts up any resistance to signing a BAA, then move on. It is not serious about HIPAA compliant fax. Beware of fax providers that charge extra to sign a BAA.
In summary, integrating a HIPAA compliant fax service is about the same level of effort as a non-HIPAA fax API. The differences have to do with document management, handling and security of the fax documents before and after they are faxed. Due diligence and working with the customer to ensure their architecture is HIPAA compliant are a key component in a successful HIPAA compliant fax integration.