by Kapua Iao
Article filed in

Can I send a HIPAA compliant fax? Yes, but you should use email instead

by Kapua Iao

Man typing on laptop with floating email symbols above.

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. A major component of the legislation addresses HIPAA compliant communication.

Covered entities (CEs) and their business associates (BAs) must always protect the rights and privacy of patients and their protected health information (PHI).

RELATED: What is ePHI?

Sharing important documents securely is fundamental to patient care. This guide will first summarize what we know about physical and electronic faxing (i.e. efaxing). But ultimately, we will make the case that HIPAA compliant email is by far a simpler and more secure communication method.

The outdated physical fax machine

Did you know physical, bulky fax machines are still in use in healthcare today? According to a 2019 report, 90% of CEs still rely on this obsolete equipment.

This is baffling considering obvious HIPAA-related problems with faxing and the existence of a more efficient, more secure method of communication: HIPAA compliant email.

RELATED: Fax Machines Are Terrible for Healthcare—Here’s Why

For one thing, with faxing, no real physical or technical safeguards exist because a physical machine can easily be stolen or tampered with, and it cannot support encryption. Moreover, the possibility of human error (e.g., copies left behind or faxes sent to the wrong person) is apparent.

Finally, HIPAA requires maintaining paperwork for at least six years—that’s a lot of physical file space.

And this doesn’t even take into account that cybercriminals can hack into a fax line or the fact that sending a fax is neither easy nor fast.

Free Whitepaper “Kill the Fax”

Governments support transitioning away from fax machines

Since 2018, the National Health Service of the United Kingdom has worked to ban fax machines within healthcare facilities. On the flip side, both Canada and the U.S. have had similar discussions but with no consensus.

Dropping the fax machine entirely has been slow, even given the ongoing healthcare digital transformation and the need to function more remotely during the COVID-19 pandemic.

A shift to efaxing

Undoubtedly, a shift from physical to efaxing provides some communication improvements. For example, reduced upfront and maintenance costs, the scalability of services, and the elimination of paper risks.

RELATED: How and Why to Transition Your Healthcare Business to the Cloud

Efaxing uses the Internet and cloud services for the transmission and storage of faxes. This can be through a web interface, personal email account, and/or mobile application (or app).

However, efax companies are not automatically HIPAA compliant. In fact, a June 2020 Gizmodo report even debunked the idea that efaxing is inherently secure.

A CE must ensure that an efax company will sign a business associate agreement (BAA). Then, the provider must examine how the company safeguards ePHI as outlined in the HIPAA Security Rule.

Let’s take a closer look at a few efax companies and determine if they are HIPAA compliant.

eFax

Originally founded in 1988, eFax allows faxing through its website, personal email, and mobile app. Toll-free, local, and international fax numbers are available.

eFax is willing to sign a BAA with customers. Furthermore, the company is HITRUST CSF certified. Therefore, eFax is HIPAA compliant.

Fax.Plus

A Swiss company, Fax.Plus offers fax solutions through its website, personal email, and via a mobile app. All plans are flexible and customizable to a client’s needs.

Fax.Plus is HIPAA compliant and offers a BAA for its Enterprise plan (the highest tier) customers. Furthermore, the company utilizes strong cybersecurity methods.

Faxage

Only available in the U.S. and Canada, Faxage offers services through its website, personal email, and mobile app, as well as API faxing. Several plans are available and it is possible to keep an existing fax number.

Faxage is HIPAA compliant as it offers a BAA and displays its strict cybersecurity practices on its website.

mFax

Part of the Documo Suite, mFax offers clients the ability to send and receive faxes through its website or via email. Clients can keep their existing fax number or use one provided.

mFax is HIPAA compliant and will sign a BAA. The company outlines its cybersecurity practices and provides stringent safeguards.

SRFax

Headquartered in British Columbia, Canada, SRFax provides services through its website and via email. Several plans are available, including HIPAA compliant options.

SRFax is HIPAA compliant, not only because the company offers a BAA but also because of its rigorous cybersecurity practices.

FaxBetter

Founded in 2006, FaxBetter lets clients send faxes through its website or via email. The company offers two plans and both come with a toll-free tax number.

FaxBetter is technically HIPAA compliant because it will sign a BAA, but its cybersecurity is lax. Additionally, the company is known to reuse fax numbers.  Therefore it is not a recommended vendor for covered entities.

GotFreeFax

Based in British Columbia, Canada, GotFreeFax only offers users the ability to send (not receive) faxes through its website. Furthermore, plans are limited to recipients in the U.S. and Canada.

GotFreeFax is not HIPAA compliant as the company does not offer a BAA.

Choose HIPAA compliant email for more security and ease

Typical concerns about implementing HIPAA compliant email are similar to those raised about using digital records and other electronic communication methods. Reasons given include:

  • Inability to change the mindset of an organization or the industry
  • Too much inertia to try or use something new
  • Fear about learning new technology and not using it properly

But such problems are easily solved by partnering with the right vendor, such as Paubox. A turn toward email is not only doable, but it is simpler and much more secure than faxing.

Considering 93% of patients prefer doctors who communicate via email, the choice seems obvious. It is time to kill the fax.

Paubox HIPAA compliant email

Rather than waste time and energy with physical and electronic faxing, CEs should send and receive important documents via email using Paubox Email Suite.

Free Whitepaper “Who Uses Paubox and Why”

Paubox will not only sign a BAA but also works tirelessly to keep you and your patients safe. With Paubox Email Suite, all outbound email (and file attachments) are encrypted by default using TLS 1.3 encryption.

Our solution requires no change in email behavior. Users send messages from their existing email platforms (such as Microsoft 365 and Google Workspace). Messages are delivered directly to recipients’ inboxes—no passwords, portals, interfaces, or third-party apps are required.

When you need to send documents that contain PHI, HIPAA compliant email is the most secure method available.

Try Paubox Email Suite for FREE today.