Faxing PHI is still a prevalent method of transferring information throughout the entire healthcare ecosystem. While the technology is rapidly changing in many areas of the industry, it is important to remember that “low-tech” methods can be useful in keeping faxed PHI secure. HIPAA allows PHI to be transferred by fax for treatment, payment, healthcare operations, and other reasons assuming appropriate safeguards are in place. Here are few best practices on securing PHI when it is transferred by fax,

  • Place the fax machine in a secure location that is not accessible to the general public;

  • Always use a cover page that includes the sender’s name and contact information, the intended recipient’s name, a confidentiality statement, and instructions if is it sent to an unintended recipient. The cover page should not include any PHI;

  • Remove incoming faxes promptly; and

  • If your fax machine is storing any PHI, have a process to permanently remove it before you take the machine out of service.

Before you send a fax,

  • Double check you have correctly entered the recipient’s number;

  • Consider programming numbers into the machine and confirming their accuracy with a fax containing no PHI.

Sending PHI to an unintended recipient is a common occurrence which should be investigated to determine if a breach of PHI occurred. If you send a fax to the wrong person,

  • Notify the appropriate person (i.e. Privacy Officer) immediately;

  • Attempt to retrieve all copies of the fax or ensure the recipient destroyed the fax; and

  • Complete an incident alert form as directed.

While it may not have seen the same technological improvements or disruptions as other methods of communication, if used appropriately, faxing can still be a secure way to exchange PHI.