Are You Faxing Your Way to a HIPAA Violation?

Are You Faxing Your Way to a HIPAA Violation?BrinegarBy Rick Brinegar, MHS
From Compliance Today, a publication for HCCA members

The Office for Civil Rights (OCR) website has information concerning a practice that faxed medical records to a patient’s employer instead of his new provider. Obviously, this was just a mistake that was made in the mad rush of day-to-day operations in healthcare.[i] The fact that we’re busy does not seem to bode well with the OCR, and the practice was required to take corrective action and deal with a very angry patient.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a difficult law to integrate within the operation of a healthcare organization but, in fact, it is here to stay. It’s much better to set down and develop a plan for HIPAA versus reacting, or overreacting, to a breach. One potential source of a breach is faxing, which does require all practice stakeholders to plan to help ensure there are few, or hopefully, no problems. For lack of a better way of saying it, faxing can be “dangerous” for HIPAA breaches, and because we do it during the rush of daily operations, the risk can go up. All it takes is someone to key one wrong digit, and your documents are somewhere you didn’t intend them to be.

Is faxing really necessary?

To reduce the chances of a breach, start by looking at what you actually are faxing. Does it really make sense to fax it, or would the traditional mail system work better, at least as far as possible breach? If you have a primary care setting, faxing referrals to specialists can be problematic. Consider implementing a No Fax policy (unless there are emergencies). One option for true emergencies is to give a “verbal approval” to the specialist with the understanding that the referral will be coming in the mail. For planned services, referrals could be mailed to patients or specialists as applicable. If you have been faxing PHI, such as to registries or government offices, inquire about mailing the documentation. You may find that the mail is just as acceptable, but faxing was done because it was easier, which was probably true prior to HIPAA.

Integrate faxing into busy days

Consider setting up a “To be faxed” bin somewhere close to the fax machine. The important thing here is not to fax during the mad rush of caring for patients, but carve out some time, probably at the end of the day, to fax anything you need. This will reduce the risk of keying the incorrect numerical digit, because our full attention is to the task at hand. Perhaps someone in the clerical area could assume this job by concentrating on the faxing all at once with minimal distractions.

Checking the accuracy of your fax numbers

I recommend checking to ensure that numbers you are faxing to are correct. This involves creating a sheet of your own that is faxed to each of your numbers (See Example 1 below). Fax the one page sheet to your fax contacts. On the sheet, ask if this number is still acceptable to receive protected health information (PHI). On the same sheet, ask the recipient to sign it, date it, and return to you. Although there is no hard and fast rule, I would recommend updating this information about once a year. Upon verification, these are the fax numbers that should be loaded into your fax machine as saved numbers. A word of caution: Don’t make the mistake of assuming that the fax numbers embedded in electronic medical records are necessarily correct either; a fax breach can occur from these as well.

Example 1: Fax cover sheet

Fax 1A coversheet is must for faxing. Although the content of a narrative on a fax cover sheet is optional, it does help to use a few buzz words, and always make it easy for someone to contact you if they received the fax incorrectly. First of all, do not use the patient’s name or other PHI in the subject line on the fax cover sheet. I recommend listing a contact person and their phone number; it displays more of a sense of urgency if the incorrect fax is received. Further, by putting the “Important Notice” on the top of sheet, it stands out to the reader (See the Example 2 below).

Example 2: Fax cover sheet

Fax 2

Investigating a potential fax breach

Always make sure to follow all required regulations regarding the reporting of a breach; if unsure, contact your legal area. It is important for your organization to design a corrective action plan after the investigative process has concluded.

For our purposes, let’s look at some recommendations for investigating the potential fax breach:

  • Call the person(s) who received the incorrect fax and ask them what they observed. Was it just the cover sheet or was PHI viewed?
  • Interview the person who sent the fax from your healthcare organization. Was this a fax number that is always used and a number was misdialed? Was it a completely new fax number to your practice?
  • Observe the faxing area of your healthcare organization. Is the area well managed and organized, or simply chaotic? Adding some structure to the area may be an element in the corrective action plan.
  • Get feedback from other people who work in the immediate area for suggestions on how to improve the area where your faxes originate. Again, this may be good information for a corrective action plan.


By working with other impacted stakeholders you will find that a little prevention here will be very helpful to the organization’s compliance efforts. And because faxing is such a routine function, it might be helpful to add these processes to your compliance plan.

Rick Brinegar ( is the Director of Professional Fees and Compliance HIPAA Officer for the University of Maryland Department of Obstetrics, Gynecology and Reproductive Sciences in Baltimore, MD.

[clickToTweet tweet=”Are You Faxing Your Way to a HIPAA Violation? @theHCCA” quote=”Are You Faxing Your Way to a HIPAA Violation?” theme=”style3″]

[i] DHHS: Office for Civil Rights: Health Information Privacy Enforcement Examples Involving HIV/AIDS.  Available at



  1. I think Rick did a nice job of providing some suggestions on what I would categorize as administrative safeguards related to faxing.

    I also like to also learn what other safeguards, primarily technical, which people are actually using..not thinking about…but have actually put into practice.

    One related aspect is also the potential of an impermissible use or disclosure at the recipient’s end. So when looking at the faxing process…I strongly suggest looking at your processes from both the perspective of the sender of the fax as well as the receiver fo the fax.

    Now you’re talking!

  2. What if a patient requests you send the fax to their office acknowledging it is a shared fax and to put their name on the cover sheet so it gets to them? Are they allowing the possible sharing of their information and acknowledging their authorization?
    Is our office still culpable?

  3. I was wondering what you guys think about possible upcoming data solutions to accidental HIPPA violations? I’ve come across a few data companies that are actively involved in trying to make the best data security solutions to keep HIPPA compliant. Some of the most interesting at the moment have been infoVia, DataRebels, and Data Vault. It’s a bit over my head to explain, but it seems there’s a growing movement to both ‘free-up’ a company’s data, like the way they share it throughout the organization while protecting it very closely. it’s been a really interesting conversation going on, one I think businesses like hospitals and insurance groups need to have. One of the most helpful breakdowns of these I could find is infoVia’s that I wanted to share and have your thoughts on.

Comments are closed.