QUESTION: I’m trying to prevent my front desk from making HIPAA mistakes when we send and receive faxes that contain protected health information (PHI). What should and shouldn’t you send electronically? Do we need any kind of release on file?
Rochester, NY
ANSWER: The first key in making sure that front desk HIPAA fax activity doesn’t result in costly violations is making sure that your staff knows to NEVER send certain types of records. For instance, sending HIV results and narcotic prescriptions via fax is considered an immediate breach of privacy. The following types of records should be sent only by mail marked “confidential” or encrypted email.
- HIV results
- Mental health records
- Narcotic prescriptions
- Alcohol abuse records
- Substance abuse records
- Child abuse records (It is important to be aware of both national and your state-specific law enforcement exceptions.)
Essential: To derail front desk HIPAA fines for faxing PHI for permissible records types, you must have an Authorized Disclosure Form signed by your patient (or his representative) on file.
Red flags: Prevent front desk HIPAA fax violation common errors that result in costly violations by taking the following actions.
1. Stress that staff take their time and confirm that they have typed in the correct digits. The wrong number could result in your PHI ending up in a random place.
2. Make sure a stand-alone fax machine is located outside of common areas and regularly monitored. Typical violations involve an unattended fax machine with faxes piled up that may be visible to passersby.
3. Review and restrict efax permission lists to minimally needed staff. Investigators see HIPAA fax red flags when they find an eFax box that everyone has access to. Each fax sent and received can be counted as an individual HIPAA violation meaning the fines can really add up.
4. Implement a prefax checklist. Before front desk staff fax patient PHI, they should be able to answer “Yes” to each of the below questions:
√ Do I have an up-to-date release form signed by the patient on file?
√ Does the release form indicate authorization to send to the person I am faxing?
√ Is the information I am sending authorized by the release I have on file?
√ Do I have a phone number for the person I am sending the fax to so I can immediately call the person after the transmission to make sure records were received without a security breach?
√ Is my fax cover sheet marked with “CONFIDENTIAL INFORMATION” at the top of the page in large letters?
5. Adjust outgoing fax settings to avoid breaches from accidently viewed PHI. Make sure you understand how your fax machine operates and if its failed deliverability settings or activity summaries could cause a HIPAA violation. Here are two settings to turn off:
- Failed attempt delayed reattempts: An outgoing fax that doesn’t successfully transmit right away may remain in the machine for later multiple resend attempts. If the fax is sent when no one is expecting it, an unintended recipient may pick up the delayed fax and view it.
- Activity reprints: Some faxes may print monthly summaries of all pages sent or of failed transmission pages. Turn these options off so that patient information is not reprinted and seen.
6. Include your compliance plan your documented protocol for handling faxes. Describe your incoming fax procedures including how to access them, where to save them, and what to do with the original document. Detail how you have set up efaxes to limit permission access. Identify settings that you have adjusted to limit unintended printing of PHI.
— Answer contributed by Jay Hodes, President, Colington Consulting. See more inside his must-have, 140-page expert report. You’ll find specific actions to help you avoid the most common front desk HIPAA fax violations and more – and if you don’t think your practice has any, think again. Head off Front Desk HIPAA Nightmares expert report will help ensure your front-desk staff are trained to identify HIPAA violations before they can escalate and get you into trouble.
For more information, see the HHS FAQ, “Does the HIPAA Privacy Rule permit a doctor, laboratory, or other health care provider to share patient health information for treatment purposes by fax, e-mail, or over the phone?” at www.hhs.gov/hipaa/for-professionals/faq/482/
Sign Up for HIPAA Compliance Online Training
-
HIPAA Coronavirus Waivers Ease Your Compliance Requirements$247.00 – $257.00
-
HIPAA: Avoid Medical Record Copying Fee Violations$247.00 – $257.00
-
Head Off HIPAA Text/Email Errors and Massive Penalties$247.00 – $257.00