Can healthcare companies use HelloFax for sending documents with protected health information (PHI)? Does this fax service support HIPAA compliance?
Regular fax machines are not the same as digital fax services. Healthcare companies have been utilizing this piece of equipment to transfer physical documents including those that contain PHI from one fax machine to another. It is not required to sign a business associate agreement (BAA) with telecommunications firms prior to transmitting data since the HIPAA conduit exception rule exempts telecommunication firms, such as AT&T.
The HIPAA conduit exception rule states that some types of service providers do not need to sign a BAA. These services just function as conduits through which data passes. Any information sent through standard fax, or is shared via the phone, is not subject to HIPAA regulations not like other means of communication such as SMS and VOIP.
However, the HIPAA conduit exception rule does not cover digital fax providers such as HelloFax, therefore, utilizing the service for sending any file containing PHI is controlled by the HIPAA Rules. Particularly talking about HelloFax, does it support HIPAA compliance?
It is essential to understand that no software program, product, or service is considered as absolutely HIPAA compliant, given that HIPAA compliance is equally dependent on the users of the software program, product, or service. The real issue is is it possible to use the service without violating the HIPAA Privacy or Security Rule.
To make sure that a channel of communication is HIPAA-compliant, see if it possesses the appropriate safety measures that protect PHI integrity, confidentiality and availability. In view of this, HelloFax offers these security measures:
- Fax transmissions from the sender to the recipient are protected by end-to-end encryption. It makes use of AES-256-bit to encrypt information while in transit and at rest. This complies with the minimum standard prerequisite of HIPAA for information encryption. In addition, every special key is encrypted utilizing a frequently rotated master key. Consequently, even if an unauthorized person accesses the hard disc of the machine where the faxed data was delivered, received or saved, he cannot see the information.
- The HelloFax data center has strict controls to assure physical protection. The company claims that it features “bank-grade” physical and electronic security.
Although there appears to be no problem with HelloFax’s security, the issue is with the needed business associate agreement. It isn’t stated on the HelloFax website if the firm is willing to enter into a BAA. But a blog post published by the company on May 17, 2017 say that HelloFax is HIPAA compliant and SOC 2. An anonymous independent third-party confirmed that HelloFax supports HIPAA compliance and signs a BAA with HIPAA-covered entities in the pharmaceutical, healthcare and insurance industries that would use its services. Nonetheless, when the article was posted, HelloFax confined its offer to enter into a BAA only with covered entities that have at least $10,000 yearly spend.
To sum up, HelloFax may be regarded as HIPAA compliant. Though the HelloFax doesn’t fall under the HIPAA conduit exception rule, it has the necessary security features to keep PHI secure and signs a business associate agreement with consumers of its offerings. Provided that consumers use HelloFax in a HIPAA-compliant way, there is no worries.