Can I send a HIPAA compliant fax? Yes, but you should use email instead
by Kapua Iao
HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. A major component of the legislation addresses HIPAA compliant communication.
RELATED: What is ePHI?
Sharing important documents securely is fundamental to patient care. This guide will first summarize what we know about physical and electronic faxing (i.e. efaxing). But ultimately, we will make the case that HIPAA compliant email is by far a simpler and more secure communication method.
The outdated physical fax machine
Did you know physical, bulky fax machines are still in use in healthcare today? According to a 2019 report, 90% of CEs still rely on this obsolete equipment.
This is baffling considering obvious HIPAA-related problems with faxing and the existence of a more efficient, more secure method of communication: HIPAA compliant email.
For one thing, with faxing, no real physical or technical safeguards exist because a physical machine can easily be stolen or tampered with, and it cannot support encryption. Moreover, the possibility of human error (e.g., copies left behind or faxes sent to the wrong person) is apparent.
Finally, HIPAA requires maintaining paperwork for at least six years—that’s a lot of physical file space.
And this doesn’t even take into account that cybercriminals can hack into a fax line or the fact that sending a fax is neither easy nor fast.
Governments support transitioning away from fax machines
Since 2018, the National Health Service of the United Kingdom has worked to ban fax machines within healthcare facilities. On the flip side, both Canada and the U.S. have had similar discussions but with no consensus.
A shift to efaxing
Undoubtedly, a shift from physical to efaxing provides some communication improvements. For example, reduced upfront and maintenance costs, the scalability of services, and the elimination of paper risks.
Efaxing uses the Internet and cloud services for the transmission and storage of faxes. This can be through a web interface, personal email account, and/or mobile application (or app).
Let’s take a closer look at a few efax companies and determine if they are HIPAA compliant.
Originally founded in 1988, eFax allows faxing through its website, personal email, and mobile app. Toll-free, local, and international fax numbers are available.
A Swiss company, Fax.Plus offers fax solutions through its website, personal email, and via a mobile app. All plans are flexible and customizable to a client’s needs.
Fax.Plus is HIPAA compliant and offers a BAA for its Enterprise plan (the highest tier) customers. Furthermore, the company utilizes strong cybersecurity methods.
Only available in the U.S. and Canada, Faxage offers services through its website, personal email, and mobile app, as well as API faxing. Several plans are available and it is possible to keep an existing fax number.
Faxage is HIPAA compliant as it offers a BAA and displays its strict cybersecurity practices on its website.
Part of the Documo Suite, mFax offers clients the ability to send and receive faxes through its website or via email. Clients can keep their existing fax number or use one provided.
mFax is HIPAA compliant and will sign a BAA. The company outlines its cybersecurity practices and provides stringent safeguards.
Headquartered in British Columbia, Canada, SRFax provides services through its website and via email. Several plans are available, including HIPAA compliant options.
SRFax is HIPAA compliant, not only because the company offers a BAA but also because of its rigorous cybersecurity practices.
Founded in 2006, FaxBetter lets clients send faxes through its website or via email. The company offers two plans and both come with a toll-free tax number.
FaxBetter is technically HIPAA compliant because it will sign a BAA, but its cybersecurity is lax. Additionally, the company is known to reuse fax numbers. Therefore it is not a recommended vendor for covered entities.
Based in British Columbia, Canada, GotFreeFax only offers users the ability to send (not receive) faxes through its website. Furthermore, plans are limited to recipients in the U.S. and Canada.
GotFreeFax is not HIPAA compliant as the company does not offer a BAA.
Choose HIPAA compliant email for more security and ease
Typical concerns about implementing HIPAA compliant email are similar to those raised about using digital records and other electronic communication methods. Reasons given include:
- Inability to change the mindset of an organization or the industry
- Too much inertia to try or use something new
- Fear about learning new technology and not using it properly
But such problems are easily solved by partnering with the right vendor, such as Paubox. A turn toward email is not only doable, but it is simpler and much more secure than faxing.
Considering 93% of patients prefer doctors who communicate via email, the choice seems obvious. It is time to kill the fax.
Paubox HIPAA compliant email
Paubox will not only sign a BAA but also works tirelessly to keep you and your patients safe. With Paubox Email Suite, all outbound email (and file attachments) are encrypted by default using TLS 1.3 encryption.
Our solution requires no change in email behavior. Users send messages from their existing email platforms (such as Microsoft 365 and Google Workspace). Messages are delivered directly to recipients’ inboxes—no passwords, portals, interfaces, or third-party apps are required.
When you need to send documents that contain PHI, HIPAA compliant email is the most secure method available.