We receive a lot of questions about patient privacy in regards to the use of email, the internet, or fax to communicate patient information. Under Health Insurance Portability and Accountability Act (HIPAA), you can use all of the above means to communicate electronic Patient Health Information (e-PHI) as long as the network or transmission mode is “adequately protected”. The following Q&A is taken directly from Health and Human Services (HHS): Does the Security Rule allow for sending electronic PHI (e-PHI) in an email or over the Internet? If so, what protections must be applied? Answer: The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI. The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected. Source: http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2006.html
Can a physician’s office FAX patient medical information to another physician’s office?
Answer: The HIPAA Privacy Rule permits physicians to disclose protected health information to another health care provider for treatment purposes. This can be done by fax or by other means. Covered entities must have in place reasonable and appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information that is disclosed using a fax machine. Examples of measures that could be reasonable and appropriate in such a situation include the sender confirming that the fax number to be used is in fact the correct one for the other physician’s office, and placing the fax machine in a secure location to prevent unauthorized access to the information. See 45 CFR164.530(c). Source:http://www.hhs.gov/ocr/privacy/hipaa/faq/smaller_providers_and_businesses/356.html