What should you be asking your fax provider about their HIPAA compliance?
What happens in the event that the fax service suffers and outage?
It may not be immediately obvious how a service outage impacts HIPAA compliance so here’s a quick explanation:
Many fax service providers have the concept of “primary” and “backup” servers or data centers. Often, it is only the primary components which are HIPAA compliant. Should an outage occur, your PHI could suddenly find itself being routed through servers and/or data centers which are not HIPAA compliant. Making matters worse, that lack of HIPAA compliance may well be a product of less -than-adequate security meaning your data could be at risk. A HIPAA compliant fax provider will have clear, detailed documentation on the policies and procedures in place to handle any such service outage. This documentation should include information on the provider’s network failover protocol. In short, if you cannot be sure exactly how your faxes are going to be transported in the event of an outage, keep looking…
Is the fax service exempt from HIPAA through the conduit exception?
While this may not be a question to ask a vendor directly, If you come across a cloud fax provider that claims exemption from HIPAA because of the conduit exception, they’re wasting your time. The reality is, no fax service provider can qualify as a conduit exception, which is defined by the Department of Health and Human Services (DDHS) as,
“…A PERSON OR ORGANIZATION THAT ACTS MERELY AS A CONDUIT FOR PROTECTED HEALTH INFORMATION, FOR EXAMPLE, THE US POSTAL SERVICE, CERTAIN PRIVATE COURIERS, AND THEIR ELECTRONIC EQUIVALENTS.”
While some cloud fax providers may attempt to claim that they qualify as an, “electronic equivalent,” this is never the case. Online fax services do more than just transfer documents from point A to point B. Both incoming and outgoing faxes will also be stored (no matter how briefly) on the provider’s server. Because of this, a cloud fax service does not qualify as a HIPAA conduit.
Similarly, if a fax provider claims to be both HIPAA compliant and a HIPAA conduit, they’re not giving you the full story.
How does the fax service mitigate the risk that comes with signing a BAA?
First off, if a fax provider is hesitant in signing a BAA – move on as they are clearly unqualified to handle your data. Unfortunately, that still leaves many providers who are equally unqualified yet perfectly willing to sign a BAA.
Validating a provider’s ability to comply with HIPAA (rather than simply their willingness to accept part of the risk) means understanding the specific requirements HIPAA details for operational, physical, network and application-level security of target documents. For many fax service buyers, this can be a daunting task but Concord’s Cloud Fax Reference Guide contains everything you need know in order to vet potential providers.
Have questions beyond HIPAA?
Download your free Concord Cloud Fax Reference Guide.
Everything you need to effectively build a detailed set of requirements for your fax project.