We are often asked at ScanSTAT about faxing medical records. With the changes to HIPAA Security and Privacy Rules from the HITECH Act and the many permutations and combinations of the current state of medical records…EMR, paper, scanned images…etc, it’s fitting to break this discussion down a little.
The below references from the HHS.gov FAQ provide enough added information to just continue to raise more questions. Is faxed information regulated differently under HIPAA? What is considered “reasonable effort” under HIPAA? What happens if the faxed information accidentally goes to the wrong recipient or a breach occurs? So to help shed some light on this topic, the HIPAA medical records experts at ScanSTAT have added some of our comments on the subject of faxing medical records.
Straight from the HIPAA FAQ section of HHS.gov
- Does the Security Rule apply to written and oral communications?
- Answer: No. The standards and specifications of the Security Rule are specific to electronic protected health information (e-PHI). It should be noted however that e-PHI also includes telephone voice response and fax back systems because they can be used as input and output devices for electronic information systems. E-PHI does not include paper-to-paper faxes or video teleconferencing or messages left on voice mail, because the information being exchanged did not exist in electronic form before the transmission. In contrast, the requirements of the Privacy Rule apply to all forms of PHI, including written and oral.
- Does the HIPAA Privacy Rule permit a doctor, laboratory, or other health care provider to share patient health information for treatment purposes by fax, e-mail, or over the phone?
- Answer: Yes. The Privacy Rule allows covered health care providers to share protected health information for treatment purposes without patient authorization, as long as they use reasonable safeguards when doing so. These treatment communications may occur orally or in writing, by phone, fax, e-mail, or otherwise.
- The Privacy Rule requires that covered health care providers apply reasonable safeguards when making these communications to protect the information from inappropriate use or disclosure. These safeguards may vary depending on the mode of communication used. For example, when faxing protected health information to a telephone number that is not regularly used, a reasonable safeguard may involve a provider first confirming the fax number with the intended recipient. Similarly, a covered entity may pre-program frequently used numbers directly into the fax machine to avoid misdirecting the information. When discussing patient health information orally with another provider in proximity of others, a doctor may be able to reasonably safeguard the information by lowering his or her voice.
6 Things the Experts at ScanSTAT Want You to Keep in Mind
1. Most of HIPAA Security references how information is STORED not necessarily how it’s DELIVERED.
As an example…if you have a FAX utility that uses a digital VOIP line or an old school AT&T analog fax line, is that mode of distribution regulated differently under HIPAA? No, because it depends on how the information you want to FAX is Stored.
2. You must apply the Safeguard Principles, even when faxing information.
If you print out a record from your EMR and FAX it from its paper form, is it ePHI at this point or PHI? Either way…..It doesn’t matter, you still have to apply the Safeguard Principle’s notated below.
HIPAA Privacy Rule states in the “Safeguards Principle”: Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use or disclosure.
3. Use REASONABLE effort when faxing to a number that is not regularly used.
Reference the second HHS.gov FAQ above (“….when faxing protected health information to a telephone number that is not regularly used…..”). We’ve heard many HIPAA Overkill stories of offices that fax a “prefax” to every single fax number that is not programmed into their fax machine. The prefax page asks the recipient to fax back that it was received and that they are indeed anticipating receiving PHI. The prefax may also have the info to call to verify and it’s also peppered with HIPAA confidentiality protocol. If you are an 80 provider medical practice (or 5 providers for that matter) you are inundated with requests for information to go to places that are “not regularly used”. If you tracked this all day long in a medical practice, it would never end! We think this is totally unreasonable and HIPAA clearly states “reasonable effort”.
4. Nowhere in HIPAA does it state that you have to control or safeguard the actions of others or situations that are not within your control.
When faxing, the reasonable effort you can deploy is to define the HR characteristics of a high quality, high integrity person that you allow to use the fax machine.
- Ensure the number’s you’ve been given are legible.
- Double check the numbers you enter before you hit send.
5. Protecting PHI is important!
Implementing best practice HIPAA protocols matters! However, we are still human beings running these fancy computers, with fancy software. It is impossible to expect even the most dedicated detail oriented person to not make a mistake. If PHI is disclosed to an unauthorized recipient via a fax number error, then simply follow the Notification of Breach protocols and document the incident properly and notified the patient if necessary. I assure you, it is NOT the end of the world.
6. Know when to consider an unauthorized disclosure a breach of information.
A question we have been asked more than once….if you are provided a fax number that is incorrect either on a piece of letterhead or hand written by a patient for example, and you distribute PHI to that number, is it considered an unauthorized disclosure? You did not mix up the numbers, or make a legibility mistake, but rather the information provided to you was wrong. Are you obligated to log this as a breach at HHS.gov or is it not a breach? There are two thoughts on this, both of which lend some merit.
- It did go to an unintended recipient.
- However, it was not an unauthorized recipient.
We contend that this is not a breach as the presented information was used to distribute the records. Just because that information was not accurate not does hold you the covered entity liable to document this as a breach.
We hope this has helped shed some light on a confusing topic. As always, please consult with your own legal counsel on any of the information presented above. The information presented is not legal advice, but simply a conversation of experience.
If you have a specific HIPAA-related release of information question not addressed here, contact the experts at ScanSTAT, and you may see the answer featured on our blog! Don’t forget to check out our other release of information resources and electronic release of information services on our website.