Death to Faxes

Posted on by

Death to faxes. There, I said it.

Nearly every medical organization in this country still uses fax machines. This vintage, 1960s technology was replaced long ago in some industries. But many practices still send dozens or even hundreds of faxes a day. It is familiar, reliable technology.

Unfortunately, the fax machine is also a major source of HIPAA breaches, particularly breaches of a single record. It is all too easy for a provider to make a simple mistake while entering a phone number, and there is a chance that the fax will connect with another machine–the wrong machine.

If you are faxing Protected Health Information (PHI), you have just breached the patient’s record. The law requires you to inform the patient by letter and report the breach to HHS, at the end of the year.

This is not some theoretical problem. A staff member at 4Medapproved has a fax machine in his home office. Last year, he came home to discover another man’s pathology report for prostate cancer waiting in his fax tray. When he called the doctor’s office to report the mistake, they did not seem to take the breach very seriously, as if they’re always faxing records to the wrong numbers.

I suspect the patient whose privacy was violated would have taken it more seriously. But it did not sound as if the practice was going to inform him, in
violation of the law.

Apart from the problem of wrong numbers, faxes are obsolete, unsecure technology. We really shouldn’t be using them at all in healthcare.

HIPAA does not require faxes to be encrypted, because there is an increasingly artificial divide in HIPAA between analog and digital technology. Faxes are considered analog even though these days they are surely traveling over digital networks. The point is that voice conversations and faxes do not have to be encrypted to be compliant. Yet, faxes could easily be intercepted and deciphered.

The risk only grows after the fax arrives. Most fax machines are set to print upon receipt, which means that anyone can access the PHI after it has printed. There is no way to authenticate access by the recipient.

Faxes are a breach waiting to happen.

Now, they can be made safer, to some extent. A colleague in IT told me recently that they had set a practice’s incoming faxes to encrypt upon arrival. The recipient has to log in to view the fax. Thus, they could control and track access.

There also are online faxing services that enable encrypted, tracked faxing. But the ones I have seen are essentially encrypted email portals. They are really fax “simulators” more than anything else.

But even if faxes could be made secure, they would still be absurd.

The patient information being sent by fax was probably in electronic form originally. The fax essentially converts that electronic data into paper form. In all likelihood, after that paper record arrives, someone will have to type the information into the EHR. By hand. Surely this is madness!

Yet every time I visit a doctor’s office, I see front office staff transcribing information from paper into the EHR.

It is already relatively easy to send encrypted email, whether through Office 365 or Google Business Apps or one of the many other HIPAA-compliant email providers. If your EHR has a 2014 certification, it can send the data as a C-CDA that machines can read as structured data.

And that’s apart from the more sophisticated forms of HIE that are now available in most states.

I know that interoperability has a long way to go. It should be easier for providers to send PHI as secure data. But I also believe that habitual faxing is making adoption slower than it need be.

Maybe it’s not quite time to take your fax machine out into a field and hit it with a baseball bat. Not yet. But I do think practices should commit to using secure communications whenever possible. The fax machine should be pushed into some corner of shame, to be used only as a last resort. The sooner fax machines go the way of the dodo, the better it will be for us all.

This entry was posted in IT News.