But determining whether your fax solutions meet all necessary guidelines and legal requirements can be overwhelming, particularly as it concerns the treatment of Protected Health Information (PHI) by a covered entity (CE) or business associate (BA).
The Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) establishes regulations for the use and disclosure of an individual’s PHI held by a CE, which can include clearing houses, employer-sponsored health plans, health insurers, and medical service providers.
A BA is held to the same high standard for the protection of patient privacy, and is defined as a person or organization (such as j2 Cloud Services) that performs certain services for a CE involving the use and/or disclosure of PHI. When PHI, or its electronic equivalent, ePHI, is transferred from one computer to another, HIPAA security measures need to be implemented by both the CE and the BA.
According to the Administrative Safeguards of the HIPAA Security Final Rule, a CE may permit a BA to create, receive, maintain, or transmit ePHI on the CE’s behalf only if the CE obtains satisfactory assurances, in accordance with 45 CFR §164.308(b), that the BA will appropriately safeguard the information.
Do you have a secure cloud fax solution? Does it meet HIPAA fax standards? Below are the top four questions any fax vendor seeking your business must answer affirmatively:
Our secure fax service stores your faxes digitally on our secure cloud using sophisticated 256-bit AES encryption and advanced security measures at our telco-grade colocations. Outsourcing your fax process to us lets your team eliminate the fax machines, fax servers, fax lines, and paper-based faxes that can leave your organization vulnerable to noncompliance with HIPAA.
Access Control: Requires covered entities to “Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4) [Information Access Management].”
The Sfax cloud fax solution includes unique user identification, administrator privileges to grant and remove access, next generation (256-bit AES) encryption and other protocols to limit access to your organization’s authorized personnel only. Inbound documents may be sent to only the intended recipient’s email, limiting exposure and disclosure risks associated with faxing to a physical fax machine.
Transmission Security: The Transmission Security Standard, 45 CFR 164.312(e)(1) requires that a covered entity “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”
Sfax implements the highly secure Transport Security Layer (TLS) protocol approved and recommended by the National Institute for Standards and Technology (NIST) for document transmissions to ensure that your ePHI (and other business faxes) are never vulnerable at any point in transmission.
Data Encryption: Where implementation is a reasonable and appropriate safeguard for the covered entity, the covered entity must: “Implement a mechanism to encrypt and decrypt electronic protected health information.” 45 CFR § 164.312(a)(2)(iv).
Sfax keeps your faxes encrypted at all times — both in transit and at rest. Storage of documents uses the NIST-recommended AES 256-bit encryption and robust in-transit TLS encryption. All data is secured and stored at our geographically redundant, Tier III and Tier IV colocations, which themselves are protected by multiple security layers 24/7/365.
Audit Control: “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” 45 CFR § 164.312(b).
Sfax employs multiple levels of audit control — from secure and automatic archiving of all faxes sent or received through Sfax for the life of your organization’s account, to transmission tracking with unique patient identifiers.