Posted by: adelvecchio
Data breach, EHR, fax technology, HIPAA compliance
As most healthcare practitioners and administrators know all too well, the use of fax machines is deeply engrained in the day-to-day information workflow across the healthcare system. In fact, the 2012 National Physicians Survey reported that the fax machine, based on decades-old technology, was a dominant method by which doctors communicate with colleagues, patients, insurance companies and pharmacists.
Using paper-based fax machines to transmit protected health information (PHI), and other sensitive data, can present serious security risks for healthcare providers and their patients. Faxing documents to the wrong number, having a fax machine located in a non-secure area, or theft of a fax machine hard drive are just some of the scenarios that have resulted in security breaches.
In addition to security concerns, traditional fax machines can be inefficient and unreliable. With the increase in EHR adoption, many practices are hiring extra employees just to receive and enter fax data into the EHR system. While the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 seeks to close both security and inefficiency gaps, among other ambitious goals, healthcare still has a long way to go before it can ditch the fax machine.
Given the long road ahead, one has to wonder if the fax machine will ever entirely disappear from healthcare. The short answer is yes.
To shed some light on this issue, let’s take a closer look at fax use in healthcare, why it continues to endure, and how Internet fax can help organizations evolve beyond traditional fax machines that still permeate the healthcare ecosystem.
Fax technology — then and now
Fax, short for facsimile, involves the transmission of scanned printed material over phone lines, typically to a telephone number connected to a printer or other device. Although fax reliance peaked in the 1980s, which is also when it took off in healthcare offices, its invention dates all the way back to 1843.
Yes, that machine you are using to transmit vital health information came to being in the mid-nineteenth century! Though to be fair, fax technology has evolved considerably since those early days, and continues to be modernized and reframed by digital technology and the Internet.
Today, healthcare professionals use fax to transmit radiology and pathology reports, prescriptions, doctor’s notes, insurance claims and billing information, just to name a few. Internet fax technology can even integrate with EHR systems now and form an avenue through which patient data can be sent to other physicians and patients, although these capabilities have yet to be widely implemented.
Old habits die hard
In talking to physicians and technology experts from a number of physicians’ offices, many of them don’t have the time or resources to redesign their information workflow and eliminate their use of the fax. It is so deeply engrained across the entire health system that wholesale changes would need to occur before fax usage can be significantly minimized or eradicated. For example, fax senders cannot yet eliminate faxing because the recipient may request fax-only delivery.
That’s not to say healthcare professionals are enamored with these machines. Although there may be a comfort level associated with their use, many of the typical complaints that plague fax machine dependence in other industries also surface in healthcare environments. These gripes range from unreliable transmissions that need constant verification, to unwieldy reams of paper in which important data commonly gets lost among less valuable information.
Fax use and HIPAA
Despite its dated roots, and the myriad complaints, fax machines can be HIPAA-compliant as long as appropriate security safeguards are followed. In short, HIPAA regulations do not prevent covered entities (health providers, plans and clearinghouses that transmit health information electronically) from faxing PHI.
It’s the covered entity’s responsibility to ensure their fax practices comply with HIPAA privacy rules. These include the “minimum necessary” rule, which limits information in the fax to the minimum amount necessary in certain instances, as well as the implementation of administrative, technical, and physical security policies to protect PHI.
Unfortunately, these rules are not always followed. In a recent blog post, academic physician Sachin H. Jain, M.D commented that fax machines sit open and accessible to a wide range of individuals in most healthcare settings–suspending any expectation of privacy and security.
For obvious reasons, fax machines must be located in secure, non-public areas to prevent unauthorized personnel from viewing faxes. Office staff should always verify the recipient’s fax number and use a cover sheet that does not include PHI.
Sending a fax to the wrong number is one of the most common errors, as evidenced by a number of reported breaches. Last year, Oakland, Calif.-based West Coast Children’s Clinic had to notify patients of a HIPAA breach after it faxed a patient’s PHI to an incorrect fax number. The data included the patient’s name, date of birth, developmental and psychological treatment history, family history, educational history, testing results and prescribed treatment.
What are the lessons to be learned? Make sure security safeguards are in place when using the fax machine to transmit PHI, and confirm your staff is properly trained to whenever handling and transmitting patient information.
The move to Internet fax
Internet fax, which uses Internet Protocol rather than phone networks and replaces paper with digital transmissions, has emerged as a popular alternative to the traditional fax. Internet fax is typically provided as a hosted service, whereby health providers can subscribe to a third-party entity that converts emails and other content to faxes.
Typically no human interaction occurs, thereby eliminating forgotten, lost or misused faxes that might be lying around. This change in workflow reduces risk and offers added convenience and efficiency over traditional fax machines. For healthcare providers that aren’t ready to eliminate fax altogether, moving to secure Internet fax can be a valuable step toward mitigating the inefficiencies and security risks posed by traditional fax machines.
To comply with HIPAA privacy rules, the Internet fax service provider has to follow security measures and other factors pursuant to HIPAA regulations. Electronic PHI data, for example, needs to be encrypted during transport as well as when it is being stored.
The Internet fax service provider also needs to sign a business associate agreement, which authorizes them to become a business associate and create, receive, maintain or transmit electronic PHI on the covered entity’s behalf. Most agreements also hold fax service providers accountable to safeguard PHI–sharing the responsibility with the health provider.
Go beyond fax — look to the cloud
In addition to Internet fax capabilities, some healthcare data management products offer additional capabilities including cloud-based storage, retrieval and other forms of secure file transfer. Cloud-based solutions make data management and recovery far easier than on-site servers, enabling practices to scale as data volume grows –a key consideration as EHR adoption climbs.
Practices can leverage integrated data storage, retrieval and file transfer solutions to securely store, backup and instantly retrieve data whenever it is needed, while also choosing their method of transmitting files. With SurMD’s SurLink, users can send documents, medical images and other files either through a secure link with an email notification or through a fax number. The user receives notification after the file transmits successfully, with a log of all transmission activity automatically updated for tracking purposes. With digital fax, all activity can be tracked which adds the benefit of accountability.
If you are considering a cloud-based data management product, be sure to look for a HIPAA-compliant vendor and ask how to encrypt patient data. Despite its importance, encryption remains a sore spot for health providers. Data should always be encrypted both when it is being stored, as well as when it is being transferred from provider to patient and from provider to provider.
Healthcare still has a long way to go before it stops using the fax machine. Eventually, the sun will set on this relic of the past, and it will go the way of the dinosaur. Until then, healthcare organizations can deploy integrated data management products with Internet fax to migrate from paper to digital fax. This move will provide added efficiencies and security protections when transferring sensitive patient information.
About the Author: Yvonne Li is a technologist and business development executive. She is an expert in cloud storage, healthcare data exchange, Internet business models, SaaS and content engagement platform design. She is the co-founder of SurMD, a cloud storage technology company and has launched a line of HIPAA- compliant cloud services. Li currently serves as VP of Business Development, at SurMD, and can be followed on Twitter at @mySurMD.