The Health Insurance Portability and Accountability Act (HIPAA) is a privacy rule created to protect a person’s medical records and other types of personal protected health information (PHI). This rule applies to healthcare providers, plans, clearinghouses, and any other type of healthcare company that provides patient care and maintains patient records. With the widespread use of electronic medical records, maintaining HIPAA compliance has gotten easier and, at the same time, more challenging. Below will list some vital information about HIPAA compliant faxes, what is allowed, and how to ensure you stay within the privacy act rules.
Table of Contents
Guidelines for HIPAA Approved Faxes
In order to ensure the patients’ protected health information (PHI) is safeguarded, it is vital to understand what is considered safe. It is required that the company keep the PHI safe while at rest, stored, and being transmitted or transported. See the following information and tips to ensure patient PHI is being kept safe while sending HIPAA faxes.
- Always use cover pages. HIPAA laws require using a fax cover sheet; however, it does not include a specific one for companies to use. So, what should be included on the fax sheet to assist with safeguarding patient information? The best practice is to include, at a minimum, a statement regarding the fact that confidential health information is enclosed, the exact date and time of the fax, sender and recipient’s information (including telephone and fax number), the number of pages, and information for verification of receipt.
- Create processes for keeping track of faxed HIPAA information. Having PHI faxes being completed by a specific job position will limit possible errors when sending information. When numerous people are all sending things, it can cause mistakes and the possibility of a violation. Using one specific person and creating logs for sent information can eliminate those possible breaches.
- Incoming faxes can lead to violations, just like outbound faxes. If a company’s fax machine is located in an office’s public area, incoming faxes can often be left on the machine for anyone to see. It is important to ensure the machine is located in a safe space where only approved employees can access any incoming faxes.
- The most efficient way to avoid most of the aforementioned mishaps is to use an internet-based electronic fax service. Most of these services will automatically use a cover letter that the user created so it is sure to be compliant every time and included on each fax. It will also keep track of all outbound and incoming faxes in a report form that can be easily accessed, which only goes to the designated person, so there is no physical fax to worry about being viewed. If utilized, this type of fax can almost eliminate any potential violations of the privacy act.
- Be conscientious of where any electronic faxes are stored. Many breaches happen because PHI is stored on numerous laptops, desktop computers, and tablets. This opens a company up for a possible breach. It is vital that all PHI, including faxes, be secured with a password and on as few devices as possible.
Types of HIPAA Violations
Sharing HIPAA-protected information is illegal, but sharing too much or not enough information with the intended or approved recipient is also considered a violation. Agreements must have original signatures from the person and contain the exact information and the nature of the information they allow to be shared. Any information shared outside of that is a HIPAA violation. On the other side of that, if a person requests access to their own PHI and is not granted access, that is a violation.
Other violations stem from access to PHI. Not having a process in place to monitor access to PHI and not having safeguards are two common violations. As mentioned above, processes and documentation regarding PHI access are critical. In the case of a breach, the company will see exactly when and how the breach occurred, which will help defend the violation.
Not destroying PHI can cause HIPAA infringement. Once the information is no longer needed and has surpassed any storage timelines, the information must be destroyed. Stockpiling this kind of information is leaving a company or facility open to possible lawsuits for privacy infractions.
In the unfortunate circumstance that a breach occurs, the correct breach protocol must be followed. Notification of the breach must be disclosed to the person whose PHI was violated in the appropriate time frame. A breach notification must also be sent in stating that the breach was identified and responded to within 60 days. Failure to comply with these things is considered a violation and, therefore, subject to repercussions.
Repercussions for Violations
There are times that breaches occur. Sometimes they are severe, and other times, they are minor in nature. However, no matter the extent of the infraction, there are consequences to the infringement. The repercussions can range according to the tier in which it falls.
- Tier 1. Violations in which the entity was unaware and could not have reasonably avoided had a justifiable attempt had been made to follow HIPAA Rules.
- Tier 2. Violations that the entity should have known about but could not have avoided even with a justifiable attempt to follow HIPAA Rules, but falling short of willful neglect of HIPAA Rules
- Tier 3. Violation occurring as a direct result of willful neglect of HIPAA Rules but where an attempt has been made to become compliant with HIPAA Rules
- Tier 4. Violation of HIPAA Rules made with willful neglect where no attempt has been made to become compliant with HIPAA Rules
Monetary fines are also assessed according to the tiers:
- Tier 1: $100 – $50,000 per violation
- Tier 2: $1,000 – $50,000 per violation
- Tier 3: $10,000 – $50,000 per violation
- Tier 4: $50,000 per violation
In conjunction with the monetary fines, there are also criminal charges that can be filed with the punishment ranging from one to ten years in jail.
HIPAA privacy rules are in place to protect all patients’ privacy. They are not to be taken lightly. Companies need to be aware of how to appropriately and securely store and send patients’ PHI because not knowing the rule will not be an excuse should a breach occur.