It is crucial to identify the difference between standard faxes and digital faxing services. Standard fax machines, those which are used to send a physical document from one fax machine to another, have long been used by healthcare groups, and in many cases, to transmit documents including protected health information.
Transmissions are shared without first completing a business associate agreement – or BAA – with telecommunications firms. That is because telecoms businesses, such as AT&T, are covered by the HIPAA conduit exception rule.
The HIPAA conduit exception, in short, details the types of communications services do not need a business associate agreement – Services that are merely mediums through which information flows. Any data sent by standard fax, or is sent over the telephone, is not subject to HIPAA laws in the same way that other communications channels including SMS and VOIP are.
However, digital fax services like HelloFax are not included under the HIPAA conduit exception rule, therefore, the use of the service for sharing any documents containing PHI would be subject to HIPAA Rules. So, is HelloFax HIPAA compliant, and can it be used by healthcare groups and other entities bound by HIPAA Rules?
Can HelloFax be Deemed HIPAA Compliant?
It is crucial to note that no software, product, or service can be referred to as truly HIPAA compliant, as HIPAA compliance depends on users of the software, product, or service. It is more a case of ifa product or service can be implemented in a HIPAA compliant manner without breaching the HIPAA Privacy or Security Rules.
In order for any communications channel to be used by a HIPAA-covered entity or business associate of a covered entity, it is necessary to ensure that appropriate security measures are in place to ensure the confidentiality, integrity, and availability of PHI.
In this manner, HelloFax ticks the right boxes. Fax transmissions are safeguarded with end-to-end encryption from sender to recipient. The method of encryption used for data in transit and at rest is AES-256-bit, which certainly meets the lowest standards for data encryption required by HIPAA.
Along with this, each unique key is encrypted with a constantly rotated master key, so even if the hard drive on the machine on which the fax was sent/received was seen, it would not be possible to view data. HelloFax also has stringent controls in place to ensure its data center is physically safeguarded. The company says it has “bank-grade” physical and digital security.
While security may not appear to be an issue, there is the matter of the business associate agreement, which is obligatory. There is no reference to a BAA on the main website at the time of writing, although there is a post in the company blog – dated May 17, 2017 – confirming that the service is now SOC 2 and HIPAA compliant. HelloFax has been independently verified as complying with HIPAA security standards by an (unnamed) independent third-party. HelloSign will sign a BAA with HIPAA-covered groups who wish to implement its HelloFax service.
HelloSign reveals: “For customers who are subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA), HelloSign can also support HIPAA compliance. HelloSign now has the ability to sign a Business Associate Agreement (BAA) with any of our customers in the healthcare, pharmaceutical, and insurance industries. Under a BAA we are bound to operate specific controls to protect your electronic protected health information (ePHI).”
However the BAA is not provided to all HIPAA covered groups, only those with a minimum annual spend of $10,000.
HelloFax is not covered by the HIPAA conduit exception rule, so once a business associate agreement has been obtained, and users ensure access controls are enabled, HelloFax can be thought of as a HIPAA compliant fax service.