If you mention the word “Fax” to anybody that doesn’t work for an organization that serves the healthcare industry, they’re going to give you a confused look.
According to Insider, if the person you mentioned that word to is a part of generation z they might not even know what that is. They’ll probably think you’re using the widely accepted slang used to agree with someone, “facts”, instead.
Yet, even though it’s widely assumed that communicating via a fax machine is obsolete, it’s growing in popularity. This growth isn’t due to nostalgia like vinyl records, businesses use faxing to communicate with one another because it’s secure.
In fact, fax usage grew by almost 30% in 2017 alone.
That means that the perception that no one uses this type of communication anymore because it predates the phone is flat-out wrong. I’m not trying to shame you if you fell into that category, I was in the same boat until I conducted research before writing this blog post.
If you’re in healthcare, the statistic above doesn’t surprise you. I’d even wager to bet that you’ve sent a fax already today. I’m so confident with that statement because 90% of healthcare organizations still rely on communicating with one another this way.
But why do doctors and health professionals rely so heavily on faxing?
It’s one of the most secure forms of sending messages on the planet and it has held that title for decades.
As a result, healthcare organizations may send faxes back and forth to one another without needing to worry about receiving a fine from the Department of Health and Human Services (HHS) for violating HIPAA.
Yet, healthcare entities can’t assume that faxing makes them immune to experiencing a breach. They still need to implement additional steps to safeguard the data that they’re sending to one another to further mitigate risk.
One of the most effective ways to avoid any potential violations when sending this type of message is by creating and utilizing a HIPAA compliant fax cover sheet. The only question then is, “What do those look like?”
Table of Contents
Does HIPAA Require a Fax Cover Sheet?
The short answer is no. Nowhere in HIPAA does it come out and state that healthcare providers or other covered entities must attach a cover sheet to all of the faxes that they send.
Yet, even though it’s not a direct requirement, it’s a best practice. Let me give you a scenario that explains why that’s the case.
You work at a general practitioner’s office that sees a high volume of patients. Awesome.
Between the patients coming in with the flu and strep throat, it’s only a matter of time before the head doctor sees a client who needs a specialist. A patient comes in one day with a foot problem that can’t get treated at the office you work.
Luckily, the doctor has a few decades of experience under his belt (hopefully he doesn’t retire anytime soon), so he has a solid list of podiatrists to refer this patient to.
The patient chooses which specialist to see and lets the doctor know. Once the initial appointment concludes, the doctor then has to send the patient’s record to the specialist so that she can prepare for the referred appointment.
The doctor delegates the work of sending the information to you, the practice manager. You fax the information to the specialist. This process isn’t uncommon, it happens to thousands of other healthcare organizations every day.
However, what happens next is where you run into trouble. You sent the patient record via fax due to how secure it is. Sending the record this way isn’t the problem. What ends up happening, though, is that the records print out at the specialist’s office and sits on the printer’s shelf for one full day.
In other words, whoever walks past the fax machine may readily view the patient’s records for one full workday. Technically that is a HIPAA violation and the fault lies with both organizations. On your end, it’s your fault that you didn’t protect a patient’s sensitive information. That’s against the overall rules highlighted within the Security rule.
It’s not like you’re going to go to jail for what happened. However, you might end up having a sit-down meeting with the head doctor about what happened.
Yet, you could’ve avoided this violation entirely if you attached a fax cover sheet.
Why Do I Need a HIPAA Compliant Fax Cover Sheet?
HIPAA compliant fax cover sheets exist to mitigate any of the risks associated with sending sensitive data to another organization.
In other words, it’s an added step in protecting your organization from any external factors leading to a violation.
Let’s rewind the scenario above. If you were to add a cover sheet to the patient’s record before you faxed it over to the podiatrist, things would’ve been different. The fax would’ve printed out at the podiatrist and still sat on the rack for a day, but it wouldn't have mattered nearly as much this time around.
Other unauthorized employees walking by wouldn’t have been able to catch a glimpse of the patient’s records because the cover sheet would’ve blocked all wandering eyes.
Your organization may be paperless. After all, practically 90% of healthcare entities used electronic formats in 2017.
If you’re a part of that majority, you most likely use an electronic fax system. In other words, you’re probably wondering whether or not there’s a point to having a cover sheet if everything is electronically sent. The answer to that question is still yes.
Implementing them within your electronic faxes helps your organization stay in compliance with the technical safeguard requirements imposed by the Security Rule. More specifically, they further help you satisfy the access control standard.
In other words, electronic fax cover sheets further ensure that individuals have access to data that they have permission to view.
What Should My Cover Sheet Contain?
Now that we’ve established that using a fax cover sheet helps your compliant efforts, the next question becomes, “What should it contain?”
Since HIPAA doesn’t come right out and state that these sheets are a requirement to achieve compliance, what you should contain in them isn’t set in stone either.
However, there’s information that’s wise to consider including to further mitigate risk and help your recipient identify what they’re receiving without causing a breach.
Your cover sheets should include…
Your organization’s name and/or branding
The name of the employee who’s sending the information
Your organization’s phone number, email address and address
The date and time of sending
The fax number that you’re sending the information to
A fax cover sheet disclaimer that’s reviewed by your corporate consul
All of that information helps both parties involved by making what’s faxed identifiable without going too far.
In other words, you can send over the patient record from the earlier example with peace of mind. A well-formatted cover sheet makes it so that an unauthorized individual can pick up the record and deliver it immediately, without having to worry about an unintentional HIPAA violation.
Everything listed in my recommendations within this section is straightforward except one; the disclaimer.
Should I Use a HIPAA Fax Cover Sheet Disclaimer?
Naturally, the answer to the question of the headline of this section is, “Yes.” I wouldn’t have included it within the recommendations earlier if it wasn’t a good idea to include it within your HIPAA compliant fax cover sheets.
Your disclaimer is a nice touch that tells the recipient what your fax contains and that unauthorized individuals don’t have permission to look past the front page.
Of course, at the end of the day, it’s just written words so disclaimers have a limit on their effectiveness. Yet, it turns your cover sheet into an official, legal document that communicates consequences for curiosity.
When you’re drafting your disclaimer, keep it brief and direct. Use your HIPAA email disclaimer as the basis since those accomplish a similar mission. Then, work with your corporate consul once you’re complete to ensure that what you say works.
Conclusion
Although the majority of people assume that faxing is an outdated form of communication that’s on its decline, that’s not the case. Using a fax machine to send sensitive data remains one of the most secure ways to send data among organizations.
Since healthcare facilities and other covered entities handle some of the most sensitive information on the planet, it makes sense that they’re some of the busiest faxers. But just because it’s secure doesn’t mean it’s impervious to HIPAA violations and breaches.
Medical professionals and administrators can’t rely solely on the good faith of their recipients. After all, the 7th largest HIPAA fine in history went to a breach caused by a business associate.
Thus, the little details matter. In other words, something as small as attaching a HIPAA compliant fax cover sheet could be the difference between facing a fine from the HHS and not.