Supposedly a relic of a bygone era to some people, the humble fax machine remains in use in some industries like healthcare. In 2021, the latest for which statistics are available, the Office of the National Coordinator for Health Information Technology estimated that about 70% of healthcare organizations still rely on faxing for their communication needs. (1)
Although compliant under the Health Insurance Portability and Accountability Act (HIPAA), traditional faxes are under pressure to be retired. The manual effort required to work them takes doctors’ time away from performing patient care. They also aren’t practical for sending a ream’s worth of medical records to a patient.
Despite inevitable hurdles, healthcare organizations are urged to adopt electronic health records (EHRs) and the means to exchange them. Modern fax solutions, such as electronic or digital faxes, have proven worthy successors, down to securing patient data.
Secure Data Transmission
Cybercriminals keep a list of ways to breach an organization’s servers, one example being data interception. As the term implies, this practice involves gaining access to information while it travels across the network. The receiver still gets their data, but so does the hacker.
In this case, experts say intercepting fax activity is no different from intercepting a phone call. One example of data interception that works here is wiretapping, a practice involving installing a data capture device somewhere in the network. These places can be on phone lines, the telecom provider’s central office, or the person’s device.
Legacy fax machines transmit information through physical lines. While more resistant to digital attacks, their lack of encryption means perpetrators can read the information from their end as it transits the network. While not impervious to attacks, electronic faxing features added security measures.
A HIPAA-compliant eFax healthcare fax solution secures data transmission by adopting the Advanced Encryption Standard (AES). This data encryption system secures the information in a cipher that reads gibberish even when hackers get their hands on it. Making sense of the data requires a decryption key that’s only provided to the intended recipient. (2)
Paperless Exchange
Contrary to a persistent belief, HIPAA wasn’t enacted with the idea of a paperless medical facility in mind. It was primarily designed to standardize the means of securing a person’s healthcare information across the U.S. Two rules are key to HIPAA compliance. (3)
- Privacy rule: This rule outlines and upholds guidelines for ensuring an individual’s right to access their EHRs. It also explains the need for covered entities (e.g., healthcare insurance companies) to secure an individual’s consent before accessing their EHRs.
- Security rule: This rule outlines and upholds guidelines for protecting individuals’ records from unauthorized access. Some of these include ensuring confidentiality and detecting and reacting to threats.
That said, going paperless is one of the Act’s side effects. Electronic documents are easier to create and send to large groups of people than paper copies. A hard drive can store tens of thousands of such files, as opposed to cumbersome drawers holding binders or folders’ worth of physical medical records.
Digital faxes also solve the long-standing issue of maintaining fax quality. Various factors affect how a fax appears, from the type of paper used to line interference. Electronic faxes won’t always need to be printed; instead, they can be accessed via a desktop PC or any device. How a file appears when uploaded is how it’ll appear when received.
The lack of a tangible copy lowers the risk of sensitive documents ending up in the wrong hands. Leaving patient records in a random, if not vulnerable, place can’t happen without a physical copy to leave behind.
Business Associate Agreement
While HIPAA compliance is mandatory among covered entities, most don’t exactly perform certain relevant activities themselves. An HMO provider may outsource claims processing to a third-party administrator, or a clinic or hospital may outsource its accounting to a firm. This poses an issue because these individuals will also require EHR access to an extent. Covered entities that outsource some services are obligated under the Act to enter into a Business Associate Agreement (BAA) with the latter. This legally-binding contract sets the limitations of disclosure of health information and guidelines on its use. In a way, HIPAA compliance matters as much to a business associate as to a covered entity. (4) Electronic fax services are business associates, as they deliver fax solutions to healthcare organizations. Some of their responsibilities under a typical BAA include: (4)
- Not disclosing information other than what’s allowed under the BAA
- Making health information available as a designated record set
- Complying with applicable provisions stated under 45 CFR Part 164
Before establishing a BAA, covered entities are encouraged to conduct background checks on potential business associates. A legally binding contract won’t stop dishonest business associates from acting in bad faith. Even after the BAA is signed, covered entities still need to conduct annual reviews of their business associates.
Audit Control
It’s one thing to produce and disseminate medical records in an electronic format, but it’s another to track their movements. A document that shouldn’t be moving too freely across the organization, let alone outside of it, signals a potential HIPAA violation.
Such offenses carry both civil and criminal penalties, costing an organization millions. Last February, the HHS Office for Civil Rights fined an eyewear manufacturer USD$1.5 million in civil penalties for failing to enact sufficient safeguards under HIPAA. The data breach, later confirmed to be credential stuffing, affected close to 200,000 individuals. (5)
Being unaware of threats is no excuse, which is why proper internal audit control is crucial. Part of it is effective document management, allowing users to locate key documents and trace their access history.
Some modern fax solutions have audit control built into them. Besides tracking EHRs and other documents, they can also lock them behind AES 256-bit encryption and password protection. Any document sent out will have information on the sender’s identity and the time of sending.
Conclusion
Adopting HIPAA-compliant technologies isn’t easy, but so is continuing to rely on legacy systems like traditional fax machines. Safeguarding patients’ information is as much of a responsibility of healthcare organizations as managing their health. It’s time to retire the old fax machine in favor of more modern solutions like electronic fax services.
References
- Brown, C. Health Care Clings to Faxes as U.S. Pushes Electronic Records [Internet]. news.bloomberglaw.com. Available from: https://news.bloomberglaw.com/health-law-and-business/health-care-clings-to-faxes-as-u-s-pushes-electronic-records
- Evans D, Brown K, Bond P. FIPS 197 Federal Information Processing Standards Publication Advanced Encryption Standard (AES). Advanced Encryption Standard (AES) [Internet]. 2001 Nov 26; Available from: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197-upd1.pdf
- CDC. Health Insurance Portability and Accountability Act of 1996 (HIPAA) [Internet]. Public Health Law. Centers for Disease Control and Prevention; 2024. Available from: https://www.cdc.gov/phlp/php/resources/health-insurance-portability-and-accountability-act-of-1996-hipaa.html
- Office for Civil Rights (OCR). Business Associate Contracts [Internet]. HHS.gov. 2008. Available from: https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
- Whisnant G, Mesa J. Warby Parker Has to Pay $1.5 Million for cyberattack: Who Was Impacted? [Internet]. Newsweek. 2025. Available from: https://www.newsweek.com/warby-parker-has-pay-15-million-cyber-attack-who-was-impacted-2040103