Is HelloFax HIPAA Compliant?

Since the publication of this article, HelloFax has been acquired by Dropbox and rebranded as Dropbox Fax. There is no indication in the terms and conditions that Dropbox will enter into a Business Associate Agreement for Dropbox Fax, and we have to assume the service no longer supports HIPAA compliance. Organizations using the service under a previous Agreement are advised to speak with Dropbox and clarify their positions.  

 

Can healthcare organizations use HelloFax to send documents containing protected health information (PHI)? Will using this fax service be regarded as a violation of HIPAA Rules?

It is necessary to differentiate between standard fax machines and electronic faxing services. Regular fax machines transmit a physical document from one fax machine to another fax machine. Healthcare organizations have been using this piece of equipment to transmit documents even those containing PHI. There is no need to enter into a business associate agreement (BAA) with telecommunications companies before transmitting documents because telecommunication companies, like AT&T, are covered by the HIPAA conduit exception rule.

The HIPAA conduit exception rule exempts certain types of service providers from needing to sign a business associate agreement. These services merely act as conduits through which information passes. Any data sent via standard fax, or is disseminated over the phone, is not governed by HIPAA regulations unlike other channels of communication for instance SMS and VOIP.

But, digital fax providers like HelloFax aren’t covered by the HIPAA conduit exception rule, hence, using the service for transmitting any file that contains PHI is regulated by the HIPAA Rules. Speaking specifically about HelloFax, is it HIPAA compliant?

It is necessary to know that no software, product, or service is regarded as truly HIPAA compliant, because HIPAA compliance also depends on the users of the software, product, or service. The real concern is more about whether using a product or service is possible without violating the HIPAA Privacy or Security Regulations.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

To ensure that a communications channel is a HIPAA-compliant, check to see if it has the right safeguards to guarantee the integrity, confidentiality and availability of PHI. Regarding this, HelloFax has the following security controls:

  • Fax transmissions are secured by end-to-end encryption from the sender to the receiver. It uses AES-256-bit to encrypt data in transit and at rest. This satisfies the minimum standard requirement of HIPAA for data encryption. On top of that, each special key is encrypted using a regularly rotated master key. Therefore, even when the hard drive of the machine on which the faxed document was sent, received or stored was accessed by an unauthorized person, he cannot possibly view the data.
  • The HelloFax data center has rigid controls to ensure physical security. The company states that it has “bank-grade” physical and digital security.

While there seems to be no issue with HelloFax’s security, the concern is the required business associate agreement. It is not mentioned on the HelloFax website whether the company is ready to sign a BAA. Although there is an article published in the firm’s blog on May 17, 2017 that HelloFax is already SOC 2 and HIPAA compliant. An unnamed independent third-party verified that HelloFax meets HIPAA security standards and will sign a BAA with HIPAA-covered entities in the healthcare, pharmaceutical, and insurance industries that would like to use its services. However, when the post was published, HelloFax limited its offer to sign a BAA only with HIPAA covered entities having a minimum yearly spend of $10,000.

In summary, HelloFax may be considered HIPAA compliant. Although the company does not fall under the HIPAA conduit exception rule, it has the required security controls to keep PHI safe and also signs a business associate agreement with users of its services. So long as users use HelloFax in a manner that is HIPAA-compliant, there is no problem.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/