Coping with HIPAA regulations: Electronic faxes

The Health Insurance Portability and Accountability Act mandates reasonable safeguards in communicating patient medical data from one care-provider to another. In this second of two columns on the subject, we look at alternatives to using the old-fashioned fax machines that can accidentally transmit private data to an unexpected recipient.

* * *

What are "reasonable safeguards" for transmitting patient data beyond the simple methods detailed in the HIPAA document discussed in the previous column?

Let's start with verbal communication. My wife Deborah and other doctors always limit mention of the complete name of any patient. If Deborah has to speak to one of her colleagues about patients on the phone, I leave the room (or if it's nighttime, I usually plug earphones in to continue my long-standing review of Star Trek series – at the time of writing, I've gone through the entire "Star Trek: The Next Generation" series again  and am in year four of "Star Trek Deep Space Nine"). However, Deborah rarely has to mention the full name anyway – it usually suffices for her to say something like "Yes, that patient I saw on Tuesday afternoon who had the severe anosognosia" for there to be no ambiguity about the subject for her colleague.

If records are sent by fax or e-mail, one of the critical issues is that the target must be absolutely correct. One of the tools that can help reduce errors in sending faxes is to get rid of clunky, outdated physical fax machines and use Internet-mediated faxing. The bother of printing (!) electronic medical records so that they can be scanned, sent by phone line, and reconstituted as fuzzy versions on the other end seems to me to contribute to errors at every level: pages can fall out of the stack being sent or be double-fed so that information is never transmitted; transmission errors can obscure part of the received fax; and most important, punching numbers into the fax manually makes it more likely that a wrong number will be composed – and the little liquid crystal displays on many fax machines hardly make it easy to spot the error. Worse, once the wrong number has been punched in, it may be used at once when the sender pushes the SEND button: there's little time for checking. Finally, once the fax has been sent, it sits unprotected on the fax machine, accessible to anyone with physical access to the unit. Sensitive documents must be manually shredded after they've been sent. What a mess!

In contrast, sending an e-mail does display the intended (or unintended) recipient in clear text on screen before the sender finishes the document. Better still, e-mail systems normally allow the e-mail (and fax) information for the desired recipient to be accessed automatically by entering the name of the recipient, making it much easier to spot errors than by looking at numbers alone.

One solution is offered by Sfax, which has a summary of its security mechanisms online in HTML and as a PDF file. Among other features, Sfax requires secure identification and authentication to send faxes and stores lists of recipients to reduce the risk of typographic errors in destinations. Faxes can be created directly by the electronic medical records systems instead of being printed on paper, reducing the risk of having unshredded paper lying around. Recipients receive a notification by e-mail that there is a secure fax and then download the files. An audit trail ensures auditability. Costs are modest for individuals or for institutions and are volume-based.

In summary, in the words of Sting's song, "There is a deeper wave than this / Tugging at your hand." Get rid of your fax-machine anchor!

[Disclaimer: I have no connection whatever to Sfax: I just studied their Web site as I researched this issue for these articles.]

Copyright © 2011 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022