Search This Blog

Wednesday, November 9, 2011

Faxing PHI comes with Potential Risks

Many organizations have discovered that the traditional faxing of (unsecured) patient reports carries the potential risk of a breach. In fact, as a compliance consultant, it is the number one cause of breaches for my clients. Granted these are usually small in number, usually 1 to 5 individuals affected, before the wrong number has been reported and the fax database has been corrected; but each one still requires a mitigation process to limit the potential of significant harm to the patient involved and, of course, the required formal breach documentation. While I continue to promote a change in the PHI delivery method from unsecure to secure, those same organizations continue to tolerate these breach occurrences to retain the status quo of unsecured PHI delivery via traditional (unsecured) faxing.

What will it take to make this change? Consider…
• A high-profile patient whose information is faxed to the wrong number that is instantly recognized by the unintended recipient and this report is now available via the tabloids.
• A family member of a high-level staff member within the healthcare organization whose information was breached via traditional fax of (unsecured) PHI that is used to embarrass their family.
• Your health information that is faxed to the gas station across town instead of the consultant you saw for a reason you would not want to explain.

Predictably, the first question that will be asked with each of these cases would be “How could this happen?”

There are many excellent secure technologies that can deliver PHI without the risks associated with traditional (unsecured) faxing. This should be the first choice for all organizations so they can provide the highest level of protection for all patient information. For example, the delivery of PHI via encrypted email, an encrypted document sent via efax, a VPN, or access through a secure web portal are all proven delivery methods that can maximize the security of the patient information being sent. When the traditional fax, however, is chosen over these secure delivery methods, there are best practices that truly must be employed in order to minimize its related potential risks. Let’s review some of those best practices and their resources.

In the book, HIPAA in Practice – The Health Information Manager’s Perspective, published by the American Health Information Management Association (AHIMA), pages 218-219, the faxing of health information is discussed. Here are some of the steps to follow listed within this section.

• Establish fax policies and procedures based on all applicable laws and regulations after consultant with legal counsel.
• Take reasonable steps to ensure the fax transmission is sent to the appropriate destination. Periodically remind staff members who receive faxes to notify you if their fax number changes. Have all users double check the fax numbers entered before pressing send.
• Include a confidentiality statement on the cover page.
• Contact the receiver and ask that the material be returned or destroyed if the sender becomes aware that a fax was misdirected.
• Place fax machines in secure areas.

Another book, Guide to the HIPAA Privacy Rule, published by Lippincott Williams & Wilkins, pages 68-69, includes some additional steps in its model policy for faxing health information.

• Fax numbers will be verified prior to transmission, to include contacting the person who is to receive the fax to assure they are available to receive it so that the faxed report will not be left unattended on the receiver’s fax machine.
• When receiving a fax containing PHI, the fax is to be removed from the machine immediately and processed. It is not to be left unattended on the fax machine.
• If a fax containing PHI is received in error, contact the sender immediately. This fax will be noted on the log sheet used to track incoming faxed documents. The documents received in error will be shredded immediately.

In a recent article in the Advance for Health Information Professionals, Can You Afford the Consequences of a Data Breach?, one of the individuals interviewed said she likens sending a fax (with PHI) as going to war – that you must prepare for battle because the consequences of a breach may mean harm to a patient and/or a staff member losing their job. It is serious and so easy to transpose numbers or press the wrong button on the keypad, their staff is required to circle the fax number on all requests. Once the number has been entered in to the fax machine, their procedure is to check the circled number twice before pressing the send button.

Stanford University, located in California, has shared their guidelines for faxing PHI. Of note, they have restricted the use of faxing PHI to only certain types of data.

• Fax PHI when other types of communication are not available or practical.
• Limit the PHI contained in the fax to the minimum necessary to accomplish the purpose of the communication.
• When faxing do not include sensitive PHI such as PHI related to alcohol abuse, drug abuse, mental health issues, HIV testing, antigens including hepatitis infection, sexually transmitted diseases, or presence of malignancy.
• Take reasonable precautions to ensure that the intended recipient is either available to receive the fax as it arrives or has exclusive access to the fax machine.
• If there is a reason to question the fax number, contact the recipient to confirm the number prior to faxing PHI.
• Use the standard fax coversheet that includes the confidentiality notice.
• Do not include any PHI on the coversheet.

Clearly, the faxing of PHI is associated with many risks. If your organization still uses this technology to deliver PHI, be sure to incorporate these best practices in order to proactively address their associated dangers and to minimize their potential risks. In addition, transitioning to newer, more secure delivery technologies should be strongly considered and included in your organization’s HIPAA security compliance assessment and risk mitigation plan in the future.

About the author: Brenda Hurley, CMT, AHDI-F, is a compliance consultant with over 40 years of experience in the medical transcription industry. She can be reached at

No comments: