Sunday, August 16, 2015

HIPAA and Faxing

So AT&T calls customer to tell them to get off the copper. Migrate to VoIP. As if it were that easy.

SIP trunks typically do not play well with fax. AT&T and Level3 do not recommend their SIP trunks with faxes.

Enter the efax services. However, if a healthcare office is going to go efax, there are HIPAA compliance issues. With some fax services, it is store and forward, so how is the data stored? Is it encrypted?

The HIPAA/HITECH law describes that a service provider that has contact with Protected Health Information (PHI) must provide a BAA (business associate agreement). Efax by J2 doesa good job of explaining the BAA here. The federal government explains it here.

There are companies that specialize in healthcare faxing, like Scrypt.

There is a PhD who explains how to fax within compliance using efax by J2 enterprise.

The problem can be the email. As efax sends the fax via an email attachment, it means that email may have to be compliant too. Even Faxage suggests secure email.

“If you use a cloud-based service, it should be your business associate,” David Holtzman of the U.S. Health and Human Services Department’s Office for Civil Rights, Privacy Division, said in this Yahoo small business article. “If they refuse to sign, don’t use the service.” [source]

Want to see some BAA examples? Here and Here.

No comments: