HIPPA and Faxing: A Potentially Dangerous Combination
The Right to Privacy
In 1890, Supreme Court Justices Samuel Warren and Louis Brandeis published “The Right to Privacy” in the Harvard Law Review. They defined privacy as the “right to be left alone.” Over 100 years later the Health Insurance Portability and Accountability Act (HIPAA) established a set of standards for protection of personal health information (PHI).
The world has changed greatly in that 100 years. There was and is a serious need to ensure accountability; to establish a national uniform baseline for privacy and uniform standards for transmission of health information. Today, almost everyone carries a smartphone and has a computer, laptops, and/or notebook to transmit words and images on a host of sites such as SnapChat, Twitter, Facebook, and YouTube for all to see…forever.
And, while there are many seminars and webinars regarding texting and the potential perils of using a mobile device to transmit patient information, no one is talking about faxing. It seems to be such a benign device. But, it is not. Breaches are on the rise. The Office of Civil Rights (OCR) is stepping up their audits.
Many agencies do not have adequate policies that cover the faxing process. First of all consider, is all the faxing done in your agency really necessary? Scanning and email or use of traditional postal service should be considered, if possible. It can be safer.
Consider setting up a “To be Faxed” sending bin close to the fax machine. This way faxing can be done when it is less busy in your agency office. This can reduce errors of transposed or incorrect digits because the sender’s mind may not be fully on the task.
Policy and Procedures For Home Health Agencies
Have a policy requiring reconfirmation of all fax numbers at least every 6-12 months. Your agency should fax an “Agency Fax Number Confirmation” sheet to all offices faxed routinely and confirm their fax number. Have them confirm, sign, date it and fax it back to your agency. Recently, an agency learned that certain numbers embedded in the EMR used had some outdated numbers. Your fax sheet should have your Agency name, phone number, fax number, address, and contact personnel if there is a question. It should include the legal warning as to what a person should do if the fax is sent to the wrong person or agency/company/practice. Include the person and number at your agency who should be contacted in case of a mistaken fax.
HIPAA HITECH has teeth now and the fines are significant. Your bottom line is fragile as is your agency’s reputation. Don’t jeopardize either with an inappropriately sent fax.