When it comes to complying with regulations such as HIPAA or PCI, IT professionals naturally tend to focus their attention on modern data systems such as mail servers, firewalls, and file shares. Even so, regulatory requirements are not confined solely to these types of systems. Even something as simple as a fax machine can conceivably put an organization at risk. We have all heard our share of compliance audit horror stories, but sometimes compliance violations can come from somewhat unexpected sources. A few years ago for example, CBS was able to retrieve electronic protected health information from some used digital copiers that it purchased. These copiers had previously been leased by Affinity Health Plan. This sting operation caused the Department of Health and Human Services to levy a $1.2 million fine against Affinity Health Plan. This story underscores the importance of handling documents and other sensitive data in a way that does not put the organization at risk of a compliance violation. One of the most important, but easily overlooked things that organizations can do to avoid these types of regulatory violations is to revisit their fax strategies. While it may seem somewhat strange to be talking about fax technology in 2019, many organizations in regulated industries still make extensive use of fax, and a network fax server may be a solution.
Good news / bad news
Old school, standalone fax machines provide ample opportunities for compliance violations. HIPAA, for example, requires covered entities to implement physical safeguards that restrict access to electronic protected health information. In other words, if a fax machine is going to be used to send or receive medical records, then that fax machine cannot be placed in a communal location where everyone in the office can use it. Instead, the machine has to be kept in a secure location, so as to prevent the unauthorized disclosure of patient information.
Of course simply placing a fax machine in a secure location is not enough to ensure compliance. One of the problems with using an old-school fax machine is that the act of sending a fax may require someone to manually dial the recipient’s phone number. While manually dialing a phone number isn’t necessarily a problem in and of itself, accidentally dialing the wrong phone number can be a huge problem. Believe it or not, accidentally faxing medical records to a wrong number constitutes a HIPAA violation, regardless of the fact that the incident occurred accidentally. Incidentally, a network fax server may be able to eliminate the risk of dialing a wrong number by allowing users to click on address book entries rather than having to manually dial a phone number each time that they fax someone.
In spite of the risks that legacy fax machines pose, however, there is at least one way in which these machines might simplify compliance. PCI DSS (the compliance standard imposed by the credit card companies) section 4.1 requires that strong encryption be used any time card holder data is transmitted across a public network. At the same time however, faxes sent over a telephone line are not considered to be traversing a public network, and are therefore exempt from the encryption requirement. Keep in mind however, that this benefit is unique to PCI, and does not necessarily apply to other regulatory standards.
Why you should be using a network fax server
Although a standalone fax machine might get the job done, it can be difficult to prove to auditors that faxes are being handled in a manner that complies with all of the various regulatory requirements. This is especially true for HIPAA compliance. Using a fax server makes it a lot easier to ensure that the necessary controls are in place.
HIPAA requirements
As previously noted, HIPAA requires that organizations limit physical access to its facilities and to any systems containing electronic protected health information. Beyond this requirement, there are four technical safeguards that covered entities must put into place. The HIPAA Security Rule defines Technical Safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it”. The technical safeguards include:
- Access controls
- Audit controls
- Integrity controls
- Transmission security
Access controls
The access control requirements found in part 164.312(A)(1) of the HIPAA security rule require organizations to “implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4) [Information Access Management].” HIPAA goes on to define requirements for unique user identification, emergency access procedures, automatic logoff, and data encryption.
It would be very difficult to comply with HIPAA’s access control requirements when sending or receiving medical records via a standalone fax machine. At the very least, a standalone fax machine would make it nearly impossible to prove the identity of the person who sent a fax. When properly configured however, a network fax server can allow for unique user identification. Operating system level controls can also provide automatic logoff capabilities and data encryption services.
Audit controls
HIPAA outlines audit controls in section 164.312(B) of the security rules. HIPAA requires covered entities to “implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
In essence, this particular rule states that a logging system must be put in place for any system that handles electronic protected health information. While the rule does allow for a “procedural mechanism” to be used, automated logging is preferred because helps to avoid the potential for human error.
A good network fax server can maintain a log of inbound and outbound faxes. This automated approach is far more reliable than had writing entries into a log book, as might be required with a standalone fax machine.
Integrity controls
The rules for integrity controls are defined in the HIPAA security rule at 164.304(c)(1). The rule states that a covered entity must “implement policies and procedures to protect electronic protected health information from improper alteration or destruction.” In other words, HIPAA requires that organizations prevent the unauthorized modification or deletion of data.
While a network fax server might not be able to directly address this requirement, some network fax solutions are able to send a copy of inbound and outbound faxes to a tamper resistant, online archive. The archives can ensure that documents are retained for the required period of time and are not modified.
Transmission security
The transmission security requirements outlined in HIPAA part 164.312(e)(1) require a covered entity to “implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”
Because a network fax server causes faxes to be sent and received across an IP-based network, organizations may be able to use existing tools to encrypt fax transmissions. For instance, an organization might route fax traffic over a VPN, or they might encrypt fax traffic using SSL, IPSec, or something similar.
Network fax server: A good first step
Adopting a network fax server does not automatically guarantee that an organization’s handling of faxes will be compliant with applicable regulations. Instead, the fax server acts as a tool that makes it easier for an organization to achieve a compliant state.
Featured image: Shutterstock
thank you!!!