In general, using a regular paper-to-paper fax to send or receive reimbursement information will not, by itself, make a dental practice a HIPAA covered entity. However, a dental practice can become a HIPAA covered entity if it conducts a HIPAA standard transaction using a computerized or digital fax. If your practice is covered by HIPAA, your HIPAA policies and procedures should include reasonable administrative, technical, and physical safeguards for protecting information that you send and receive by any kind of fax. Even if your practice is not covered by HIPAA, developing and implementing fax machine safeguards can help protect sensitive information and may help prevent liability under state data security law.
HIPAA Covered Entities
In general, a dental practice must comply with HIPAA if it has conducted one or more HIPAA standard transactions in electronic form, or if another person or entity (such as a billing firm) has done so on its behalf. HIPAA standard transactions include reimbursement claims, payments, explanations of benefits, and inquiries regarding enrollment, benefits, authorization, or claim status.1 The Office for Civil Rights clarified in 2013 that “…a facsimile machine accepting a hardcopy document for transmission is not a covered transmission even though the document may have originated from printing from an electronic file.”2 However, a dental practice may become a HIPAA covered entity if it conducts a HIPAA standard transaction using a computer, including a computer fax.
Fax Machine Safeguards
A dental practice should carefully evaluate the risks before deciding to use a fax machine to send or receive sensitive information (such as protected health information (PHI) social security numbers, credit or debit card numbers, drivers' license numbers, or account numbers). If a dental practice decides to use a fax to transmit such information, it should first develop and implement appropriate safeguards to protect the privacy of the information. Here are some examples of safeguards that might be reasonable and appropriate in a dental office:
- Before sending a fax, confirm that the fax number is correct. For example, double check the number, call the intended recipient to confirm the accuracy of the fax number, or send a "test fax" asking the recipient to first confirm its identity.
- Place the fax machine in a secure location to protect against unauthorized access to information on incoming faxes.
- Pre-program and clearly identify frequently used fax numbers to help avoid misdialing numbers.
- Use a cover sheet that states that the fax information may be confidential and requests the recipient of a misdirected fax to destroy the information and notify you immediately.
- Prohibit use of "redial" keys when sending sensitive information unless the sender is certain that no one else has used the fax machine since his or her last transmission.
- When electronically storing or transmitting sensitive information (e.g., via computer fax), choose an encryption method that renders the information "secure" under the HIPAA Breach Notification Rule.3
HIPAA covered dental practices must keep a list of disclosures of PHI, other than permitted disclosures for treatment, payment, and healthcare operations, so that the dental practice can provide an accounting of disclosures4 if requested by a patient. A misdirected fax may also be a breach of unsecured PHI requiring notification under the HIPAA Breach Notification Rule.5 In addition, state law may require a dental practice to provide notification in the event of misdirected sensitive information such as a social security number, credit card number, or driver's license number, whether or not the information is PHI.
Logging impermissible disclosures such as misdirected faxes can also help identify risks and vulnerabilities and help you develop better safeguards for your dental practice. Keep in mind that HIPAA covered entity dental practices are required to impose appropriate sanctions6 on workforce members who do not follow privacy and security policies and procedures.
Resources Available from the American Dental Association
The ADA Practical Guide to HIPAA Compliance: Privacy and Security Kit is a useful tool designed to help dentists comply with the HIPAA Privacy, Security, and Breach Notification Rules. The Kit includes both the ADA Practical Guide to HIPAA Compliance Privacy and Security Manual and The ADA Practical Guide to HIPAA Training, a CD-ROM program with two levels of training. The ADA Complete HIPAA Compliance Kit can be ordered at the ADA Store or by calling 800.947.4746.
The HIPAA HITECH Breach Notification Rule discusses compliance with the Breach Notification Rule and includes sample documents.
2Office for Civil Rights, Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, Final Rule.
3Under HIPAA, electronic patient information is considered secured if it is properly encrypted and the encryption process or key has not been breached. For information about encryption under the Breach Notification Rule, visit the OCR website Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Users. Consult your practice management software vendor, hardware supplier, network support team, or other knowledgeable information technology professional to determine whether the necessary encryption is in place.
4Accounting of disclosures is covered in Section 164.528 of the HIPAA Privacy Rule. For more information, see Step 14.3 in Chapter 2 of The ADA Practical Guide to HIPAA Compliance Privacy and Security Manual.
5For more information about the HIPAA Breach Notification Rule, visit the OCR website Breach Notification Rule. The ADA provides information about the Breach Notification Rule, a flowchart, glossary, and sample forms, in the HIPAA HITECH Breach Notification Rule.
6Sanctions are discussed in chapter 2, Step 16 and on page 7 of Chapter 4 of The ADA Practical Guide to HIPAA Compliance Privacy and Security Manual.