QA Reader Blog

How to Fax Personal Health Information and Stay HIPAA Compliant

Posted by QA Reader on March 1, 2016 at 10:35 AM

confidential_336x240.jpgFaxing of personal health information (PHI) is allowable by the HIPAA Privacy Rule. In this article, we give you a bit of background into the HIPAA Privacy Rule and give some best practices in faxing and emailing incident reports to QA Reader.

The HIPAA Privacy Rule

The HIPAA Privacy Rule (“The Rule”) set national standards to protect personal health information. It applies to long term care providers that “conduct certain health care transactions electronically.” The Rule requires long term care providers and their business associates to establish appropriate safeguards to protect the privacy of PHI. The Rule also sets limits on the uses of the information without your resident’s authorization.

Is Faxing Personal Health Information (PHI) Allowable by HIPAA?

According to the American Medical Association and the Department of Health and Human Services, faxing PHI is allowable as long as you take “reasonable and appropriate safeguards” to limit the disclosure of the PHI to an unauthorized person.

One example of a reasonable safeguard is to require your staff to verify the recipient's fax number and use a cover sheet that does not include protected health information.

Another example is to limit the amount of information disclosed to the minimum necessary to accomplish the purpose of the disclosure. For instance, when you report an incident to your risk management provider, don’t include the resident’s social security number (SSN) because that bit of PHI is not integral to the risk management purpose of the transmission.

Do your best, but don’t let your actions impede your ability to provide quality care. According to the Privacy Rule, “the minimum necessary standard should not interfere with (your) ability to provide appropriate treatment.”

QA Reader HIPAA Best Practices in Faxing and Emailing Incident Reports

QA Reader is the only long term care risk management solution that accepts data feeds from multiple sources: fax, email, and directly from our clients’ EHR systems. QA Reader accepts multiple data feeds because it keeps us agile and easy to implement and use at our client long term care facilities.

We suggest a few best practices when transmitting information to QA Reader.

  • Program the QA Reader fax number into your fax machine. Verify the number, then program it into your machine. Educate your staff regarding use of the programmed number. This is the easiest method of meeting the “minimum necessary” standard.
  • Remember to take the incident reports with you after the fax is complete. In other words, don’t leave a fax on the fax machine afterwards. Take the incident reports off the fax machine and archive them per your organization’s standard.
  • Don’t worry about a coversheet. We don’t use them. When you fax (or email) your incident reports to the QA Reader fax number, the incident reports are received by our data intake servers. There are no people in this process. QA Reader receives the incident forms and routes them to your organization’s HIPAA-compliant data store, based on the barcode on the form. We use optical mark recognition (OMR) technology to transfer information from the handwritten incident form to your QA Reader dashboard.

You can email your incident reports (attached PDFs) as well. According to the AMA and HHS, you may “use any method of communication — including e-mail, oral conversations, written letters, or other methods (including sending facsimiles) — so long as the physician uses reasonable and appropriate safeguards to protect the communication.”

Faxes are HIPAA-compliant as long as you take appropriate safeguards to protect the unauthorized disclosure of personal health information. According the HHS:

“The Privacy Rule allows covered health care providers to share protected health information for treatment purposes without patient authorization, as long as they use reasonable safeguards when doing so. These treatment communications may occur orally or in writing, by phone, fax, e-mail, or otherwise.”

For more information, check out the HIPAA Privacy Rule, which is located at 45 CFR Part 160 and Subparts A and E of Part 164.

Next Steps

Learn more about the easiest quality assurance dashboard in long term care
Learn more about the easiest quality assurance dashboard in long term care

Subscribe to Email Updates

Recent Posts