Can healthcare organizations use HelloFax to send documents containing protected health information (PHI)? Will using this fax service be regarded as a violation of HIPAA Rules?
It is necessary to differentiate between standard fax machines and electronic faxing services. Regular fax machines transmit a physical document from one fax machine to another fax machine. Healthcare organizations have been using this piece of equipment to transmit documents even those containing PHI. There is no need to enter into a business associate agreement (BAA) with telecommunications companies before transmitting documents because telecommunication companies, like AT&T, are covered by the HIPAA conduit exception rule.
The HIPAA conduit exception rule exempts certain types of service providers from needing to sign a business associate agreement. These services merely act as conduits through which information passes. Any data sent via standard fax, or is disseminated over the phone, is not governed by HIPAA regulations unlike other channels of communication for instance SMS and VOIP.
But, digital fax providers like HelloFax aren’t covered by the HIPAA conduit exception rule, hence, using the service for transmitting any file that contains PHI is regulated by the HIPAA Rules. Speaking specifically about HelloFax, is it HIPAA compliant?
It is necessary to know that no software, product, or service is regarded as truly HIPAA compliant, because HIPAA compliance also depends on the users of the software, product, or service. The real concern is more about whether using a product or service is possible without violating the HIPAA Privacy or Security Regulations.
To ensure that a communications channel is a HIPAA-compliant, check to see if it has the right safeguards to guarantee the integrity, confidentiality and availability of PHI. Regarding this, HelloFax has the following security controls:
- Fax transmissions are secured by end-to-end encryption from the sender to the receiver. It uses AES-256-bit to encrypt data in transit and at rest. This satisfies the minimum standard requirement of HIPAA for data encryption. On top of that, each special key is encrypted using a regularly rotated master key. Therefore, even when the hard drive of the machine on which the faxed document was sent, received or stored was accessed by an unauthorized person, he cannot possibly view the data.
- The HelloFax data center has rigid controls to ensure physical security. The company states that it has “bank-grade” physical and digital security.
While there seems to be no issue with HelloFax’s security, the concern is the required business associate agreement. It is not mentioned on the HelloFax website whether the company is ready to sign a BAA. Although there is an article published in the firm’s blog on May 17, 2017 that HelloFax is already SOC 2 and HIPAA compliant. An unnamed independent third-party verified that HelloFax meets HIPAA security standards and will sign a BAA with HIPAA-covered entities in the healthcare, pharmaceutical, and insurance industries that would like to use its services. However, when the post was published, HelloFax limited its offer to sign a BAA only with HIPAA covered entities having a minimum yearly spend of $10,000.
In summary, HelloFax may be considered HIPAA compliant. Although the company does not fall under the HIPAA conduit exception rule, it has the required security controls to keep PHI safe and also signs a business associate agreement with users of its services. So long as users use HelloFax in a manner that is HIPAA-compliant, there is no problem.