Printer-friendly format

Many times throughout the workday, healthcare providers and administrators unwittingly leave private patient information — protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) — lying around the office.

The source of this penalty-worthy security infraction? The ubiquitous fax machine.

Hiding sensitive patient information in plain sight is the unfortunate byproduct of healthcare providers concentrating their HIPAA compliance measures on improving internal security protocols and encryption or other protection of e-mail while overlooking the more obvious exposed methods of communication.

“The more stories came out about identity theft, information theft, stolen laptops, the more resources were devoted to making sure patient information was locked up tight,” explained Steve Adams, vice president of marketing for MyFax, a provider of Internet faxing services. “Faxing was largely ignored, because in our e-mail-centric world, faxing was considered obsolete, an archaic means of transmitting information, and therefore not really a HIPAA concern.”

Despite technological advances, many healthcare providers continue to use handwritten charts, and when those charts need to be dispatched to a consulting provider, an insurance company, or another medical office, faxing remains a popular choice of communication. Insurance claims, prescriptions, patient history and other medical information are typical faxed communiqués.

“The primary security risk in traditional, machine-based faxing is that it creates a very public view of very private documents,” said Adams. “Consider what happens when a confidential document is sent from one organization to another via fax.

“First, the document is loaded into a fax machine located in a mailroom or other public area on the sender’s end, a phone number is dialed, and the ‘send’ button is pushed. If all goes well, the document is scanned and transmitted, and the sender picks up the original and returns to his desk. If a busy signal is received, however, the sender may walk away for a few minutes while the machine continues to re-dial until it makes a connection. In the meantime, this confidential document is sitting exposed in a public area. This scenario is hardly in keeping with established best practices for document handling in a HIPAA-compliant organization.”

On the receiving end of the fax, there is even less compliance because the sender has no control over where the fax lands, Adams pointed out.

“While it might go to a gatekeeper’s desk, the more likely scenario is that it is received on a fax machine in a public area, where it sits until someone sees the cover page and delivers it to the rightful owner,” he said. “In the meantime, anyone in the organization can walk by and read this confidential information, or even make a copy of it. If it is time-sensitive, there could be a significant delay until it is sorted and delivered. It could also be delivered to the wrong person, creating a further breach in security.”

Internet faxing brings faxing into HIPAA compliance by allowing two confidential ways to send and receive faxes. One is via e-mail, where it is secure unless the electronic fax is left on the monitor and someone else accesses the computer.

“The second method, sending and receiving via a secure server, offers even greater protection,” said Adams. “Rather than delivering the actual fax, the secure server method sends an e-mail notification alert to the user when a fax comes in to their account.”

Users then go to a password-protected site where the fax sits in a secure, encrypted in-box on a secure socket layer (SSL)-enabled server. Ideally, the documents will be protected by 128-bit encryption (such as that from VeriSign), 1024 Bit Public Keys, and PGP public key/private key security encryption, Adams explained.

“After logging in, users are able to view the fax and/or download it their computer,” he said. “This same method can be used in reverse to send a fax, leaving no trace of the original fax in an Outlook or other mail server ‘sent’ file. The secure server method provides the ultimate in HIPAA-compliant security for the most sensitive documents.”

Operationally, Internet faxing appears similar to a traditional fax to the person on the other end. The Internet fax user has a telephone number, often toll-free, that can be called from any fax machine around the globe. Faxes may be sent either to a standard fax machine or directly to the person on the other end if he also is using an Internet fax service. However, information transmitted via fax runs the same risks of HIPAA violations as any other data.

“Instead of allowing faxes to hide in plain sight, Internet fax services help security managers bring the fax portion of their operations up to the same standards they are using for other forms of communication,” said Adams. “If HIPAA compliance falls under your purview, they should definitely be on your radar screen.”



March 2008

Tags:

None

Login and voice your opinion!