You’ve been tasked with utilizing a HIPAA compliant fax API for your company or client. You understand what fax is, but how do you make it HIPAA compliant? If you Google search HIPAA compliance you will see things like needing a BAA, cover pages, disclaimers, and massive fines for HIPAA violations. It’s a lot to take in and it may seem overwhelming.
In this primer, we’ll give you a high-level view of what HIPAA compliance means for fax and how your integration of a fax API can be HIPAA compliant with just a bit of planning and preparation.
First, let’s review some definitions of various terms you’ll see here:
HHS: Health and Human Services. This is a federal agency tasked with overseeing HIPAA compliance. It releases guidelines and standards that must be met to be HIPAA compliant.
ePHI / PHI: Electronic Private Health Information. A medical record is considered PHI. Any fax document that contains medical information about an individual is considered PHI.
Covered Entity: An organization that provides medical services, insurance, pharmacies or any other healthcare service. See this document for clarification on what is considered a covered entity. They are also referred to as Providers.
BAA: Business Associate Agreement. Simply put, a BAA is an agreement between the covered entity (medical office) and the parties who interact with PHI maintained by that organization. So, if you are a contractor for a medical office and if you have any interactions that allow for access to PHI, you are required to sign a BAA. In the case of fax services, any fax provider that offers HIPAA compliant fax should sign a BAA with the covered entity because PHI is being transmitted and stored on a fax provider’s infrastructure. Learn more about BAAs.
Data at rest: Data such as medical records that are stored on a secure file server or storage platform. Data that is not actively moving on the network but “at rest” on a secure storage device.
Data in transit: This is data that is in motion. Examples would be data that is being uploaded to a sFTP site, offsite storage facility, or being emailed internally.
TLS: Transport Layer Security is a crypto protocol that provides end-to-end communication security over networks. It is widely used for internet communications and online transactions. TLS is more efficient and secure than SSL (Secure Socket Layer) and the TLS standard 1.2 is now required for use in managing ePHI materials.
Cover sheet: A document that is sent as the first page in a fax job that provides limited meta-data about the contents of a fax that contains PHI and acts as a preventive measure to reduce accidental disclosure to unauthorized parties.
Now that we have a common lexicon, let’s talk about the differences between a regular fax API and a HIPAA compliant fax API.
It Has to be Secure
HHS has put out minimum guidelines for HIPAA compliant communications. It would be unusual these days to see an API endpoint that is not protected with SSL, but in this case, you must connect with a TLS encrypted connection. An API endpoint must support TLS 1.2+.
But how do you determine if your fax provider complies with TLS 1.2 or greater? Using developer tools (under the view menu in Chrome), just open the API endpoint in your browser and click the “Security” tab. You’ll see the connection settings and it will tell you which version of TLS is supported. In the example below, TLS 1.2 is in place.
Sending a Fax
Sending the actual fax is the same whether you are complying with HIPAA or not. There is not an explicit fax setting for HIPAA. The mechanism for sending a fax is inherently secure which is why fax as a technology is still thriving in the healthcare space. The handling of a fax document before and after transmission is where proper planning and security is necessary and falls within the domain of HIPAA.
The fax document should be stored in a secure location before it is sent to the API for outbound processing. Care should also be taken to make sure that these documents are not stored in a cache or temporary directory after being sent.
Incoming Faxes Must Be Secure as Well
Receiving an inbound fax via API is also something that requires proper handling. In most cases, the sender will trigger a webhook on the recipient’s end, and the recipient’s system will respond by querying the sender’s API for the incoming fax document.
Once you have that document saved on a storage device, it must be properly secured and access is given only to users who have permissions to see it. It would be unwise to just send the fax document to a group email box or the print queue.
Most fax APIs allow email delivery of inbound faxes. This is not the recommended implementation as sending an unencrypted document via email opens the door to the fax in-transit being intercepted by spyware or malware. If sending a digital fax document via email is important, then the document should be encrypted before sending and then decrypted by the final recipient.
Fax Retention Periods
The storage of the sent and received fax documents must be managed carefully. Every type of document may have different retention periods. For example, if your fax documents are medical billing records that are seeking Medicare reimbursement, then the documents must be retained for 10 years by federal statute. Other types of documents have different minimum retention periods. You should do your research on what types of faxes are being sent/received and be sure to retain these documents on a secure server with appropriate access controls. The HIPAA retention requirements are available at 45 CFR 164.316(b)(2).
Don’t Forget The Cover Sheet
Almost all HIPAA compliant faxes require cover sheets. If you aren’t sure, cover it. Cover sheets are documents that have some metadata such as “To”, “From”, “Date”, “Subject” and the HIPAA disclosure disclaimer so that the receiving party knows what to do with the document. Any fax that has PHI should have a cover sheet in most cases.
Finally, Let’s discuss a BAA
All of this is moot if you don’t have a BAA with the fax service provider. As specified before, a BAA is an agreement between the covered entity and the provider of the fax service API. If a fax provider puts up any resistance to signing a BAA, then move on. It is not serious about HIPAA compliant fax. Beware of fax providers that charge extra to sign a BAA.
In summary, integrating a HIPAA compliant fax service is about the same level of effort as a non-HIPAA fax API. The differences have to do with document management, handling and security of the fax documents before and after they are faxed. Due diligence and working with the customer to ensure their architecture is HIPAA compliant are a key component in a successful HIPAA compliant fax integration.
