All Blogs

Practice QA: Fend Off Costly Front Desk HIPAA Fax Fines with 6 Actions


Posted Dec 12, 2019
Share: Share on Facebook Share on Twitter Share on LinkedIn
All Blogs

Practice QA: Fend Off Costly Front Desk HIPAA Fax Fines with 6 Actions

Posted December 12, 2019
Share: Share on Facebook Share on Twitter Share on LinkedIn

QUESTION: I’m trying to prevent my front desk from making HIPAA mistakes when we send and receive faxes that contain protected health information (PHI). What should and shouldn’t you send electronically? Do we need any kind of release on file?

Rochester, NY

ANSWER: The first key in making sure that front desk HIPAA fax activity doesn’t result in costly violations is making sure that your staff knows to NEVER send certain  types of records. For instance, sending HIV results and narcotic prescriptions via fax is considered an immediate breach of privacy. The following types of records should be sent only by mail marked “confidential” or encrypted email.

  • HIV results
  • Mental health records
  • Narcotic prescriptions
  • Alcohol abuse records
  • Substance abuse records
  • Child abuse records (It is important to be aware of both national and your state-specific law enforcement exceptions.)

Essential: To derail front desk HIPAA fines for faxing PHI for permissible records types, you must have an Authorized Disclosure Form signed by your patient (or his representative) on file.

Red flags: Prevent front desk HIPAA fax violation common errors that result in costly violations by taking the following actions.

1. Stress that staff take their time and confirm that they have typed in the correct digits. The wrong number could result in your PHI ending up in a random place.

2. Make sure a stand-alone fax machine is located outside of common areas and regularly monitored. Typical violations involve an unattended fax machine with faxes piled up that may be visible to passersby.

3. Review and restrict efax permission lists to minimally needed staff. Investigators see HIPAA fax red flags when they find an eFax box that everyone has access to. Each fax sent and received can be counted as an individual HIPAA violation meaning the fines can really add up.

4. Implement a prefax checklist. Before front desk staff fax patient PHI, they should be able to answer “Yes” to each of the below questions:

√ Do I have an up-to-date release form signed by the patient on file?

√ Does the release form indicate authorization to send to the person I am faxing?

√ Is the information I am sending authorized by the release I have on file?

√ Do I have a phone number for the person I am sending the fax to so I can immediately call the person after the transmission to make sure records were received without a security breach?

√ Is my fax cover sheet marked with “CONFIDENTIAL INFORMATION” at the top of the page in large letters?

5. Adjust outgoing fax settings to avoid breaches from accidently viewed PHI. Make sure you understand how your fax machine operates and if its failed deliverability settings or activity summaries could cause a HIPAA violation. Here are two settings to turn off:

  • Failed attempt delayed reattempts: An outgoing fax that doesn’t successfully transmit right away may remain in the machine for later multiple resend attempts. If the fax is sent when no one is expecting it, an unintended recipient may pick up the delayed fax and view it.
  • Activity reprints: Some faxes may print monthly summaries of all pages sent or of failed transmission pages. Turn these options off so that patient information is not reprinted and seen.

6. Include your compliance plan your documented protocol for handling faxes. Describe your incoming fax procedures including how to access them, where to save them, and what to do with the original document. Detail how you have set up efaxes to limit permission access. Identify settings that you have adjusted to limit unintended printing of PHI.

 Answer contributed by Jay Hodes, President, Colington Consulting. See more inside his must-have, 140-page expert report. You’ll find specific actions to help you avoid the most common front desk HIPAA fax violations and more – and if you don’t think your practice has any, think again. Head off Front Desk HIPAA Nightmares expert report will help ensure your front-desk staff are trained to identify HIPAA violations before they can escalate and get you into trouble.

For more information, see the HHS FAQ, “Does the HIPAA Privacy Rule permit a doctor, laboratory, or other health care provider to share patient health information for treatment purposes by fax, e-mail, or over the phone?” at www.hhs.gov/hipaa/for-professionals/faq/482/

Sign Up for HIPAA Compliance Online Training

 

 

Meet Your Writer

Jay Hodes

President, Colington Consulting

Jay Hodes is a leading expert in HIPAA compliance and President of Colington Consulting. His company provides HIPAA consulting services for healthcare providers and business associates. Mr. Hodes has over 35 years of combined experience in risk assessments, site security evaluation, regulatory compliance, policy and procedures assessments, and Federal law enforcement management. He served as the HIPAA Compliance Officer for the County of Fairfax, Virginia. In that role, Mr. Hodes managed the county-wide HIPAA security and privacy programs which included conducting security risk assessments, policy, and procedure development, conducting HIPAA breach, compliance, and privacy complaint investigations, and developing HIPAA Security Awareness and Privacy training. Mr. Hodes was an Assistant Inspector General for Investigations at the U.S. Department of Health and Human Services. He has provided expert witness opinions for litigation cases. Mr. Hodes has been the keynote speaker and provided presentations regarding HIPAA compliance and patient privacy to many professional healthcare organizations including the Health Care Compliance Association, the Maryland Medical Group Management Association, the Baltimore City (MD) Medical Society, the New Jersey Aging Life Care Association, the California Primary Care Association, the National Association for Speech and Hearing Centers, and the Virginia Academy of Elder Law Attorneys. He has published over 70 educational articles regarding HIPAA compliance, been featured in Part B News articles, the Report on Patient Privacy, provided a guest post in the Electronic Health Reporter, interviewed and provided comments to Hospital Access Management regarding HIPAA privacy issues resulting from the Orlando mass shooting incident, and interviewed four times by Renal & Urology News, provided comments to the Virtru.com blog regarding HIPAA requirements and safeguards, interviewed by PracticeSuite EMR as part of their Expert Interview Series, and interviewed and provided comments to the Health System Specialist. Mr. Hodes is a member of the American Institute of Healthcare Compliance, Health Care Compliance Association, and the Healthcare Information and Management Systems Society. In his free time, Mr. Hodes is a volunteer for Lab Rescue of the Labrador Retriever Club of the Potomac.