Hosted fax service is a shady line when it comes to security and HIPAA. Undoubtedly there are great benefits to a hosted fax service such as:
- The ability to share the same account amongst many users makes the service low cost.
- The benefit of sending faxes via the email client means fewer hassles for users.
- A hosted fax service will usually offer Print-to-Fax functionality allowing you to fax out anything you can print.
- You get no busy signals when receiving faxes.
- The use of a fax queue that holds fax jobs until the resources are available to be sent is seamless to the user and allows for faxes to be sent out one after the other without having to wait.
- Automatic fax transmission notifications are sent out by default.
- A hosted fax service is more cost effective than traditional faxing because it saves on equipment, equipment maintenance, ink, paper and traditional analog lines.
- Faxes can usually be resent from the web portal.
- Hosted fax service usually provides limited fax storage.
- The signup process and account management is simple.
- With hosted fax service, you have access from anywhere using an internet connection via the web portal.
As beneficial as hosted fax service is, when it comes to Healthcare Information Technology, we must look at it from a regulatory perspective as Community Health Centers and other healthcare institutions are subject to HIPAA laws and other regulations. Thus, I do not do hosted fax service for the following reasons:
- In order to be HIPAA compliant, users cannot share the same account for the service as the sharing of passwords is explicitly prohibited for systems containing ePHI. Thus, the number of hosted fax service providers is limited since many do not have safeguards in place to provide logins and a separate workspace for individual users.
- Sending faxes through the use of email clients, in my opinion, is a vulnerability because email accounts are often setup for use on portable devices that are at greater risk of being lost or stolen. Thus, ePHI stored in the Sent Items is visible to whoever has the device.
- ePHI can be accessed on a desktop by going to the Sent Items on the email client, and with some hosted fax service providers, it can also be accessed via the Print-to-Fax cache on the workstation.
- Email clients don’t usually ask for a password by default. This circumvents the technical safeguards put in place with the implementation of an EHR.
- Also, depending on whether you have an in-house email server or hosted, the setup for secured transmissions is more involved and should include SSL.
- If an email account is ever black listed for spam, that may disrupt the faxing service as well.
- If the email server goes down, you are unable to fax out unless the hosted fax service provides an alternate method for fax transmissions.
- The faxes are stored off-site with the hosted fax service provider; the liability of a breach still rests with the covered entity. At the very least, a Business Associate Agreement (BAA) is needed.
- The ability to access the hosted fax service from anywhere constitutes another risk as users will have access to ePHI even after business hours and from off site with no oversight.
- The ability to access the web portal from outside the network increases the risk for man-in-the-middle attacks and network sniffers.
- Most hosted fax service providers do not support a Citrix environment with the exception of a few such as RightFax and GoldFax. Perhaps the good people at +RightFax Pros can offer a solution.
While hosted fax service may be perfect for most organizations, Community Health Centers and other healthcare institutions should look for an in-house electronic fax solution to be in compliance with HIPAA regulations. I wonder if +HIPAA For MSPs would like to comment on this post.