Hipaa Compliance In A Technical World

Writen by Brandi Cummings

The way people do business today relies more and more on internet connections and "virtual" phone lines. This presents a problem for those in the medical industry and those required by the Department of Health and Human Services to follow the guidelines of The Health Insurance Portability and Accountability Act of 1996 (HIPAA). Those companies that deal with Personal Health Information (PHI) want to make sure that they are able to keep up with technology, and all the convenience and efficiency that it has to offer, yet at the same time ensure that the technology does not put their clients' confidential information at risk. One such technology that those in the medical industry are finding numerous benefits to is virtual fax.

The benefits of virtual fax can be summed up in one word: efficiency. With a virtual fax there is no longer any need to go back and forth from the fax machine for sending or receiving faxes. All faxes can come into an email address or internet control panel and faxes can be sent right from the desktop as well. Since the faxes are digital, it is possible to clean up any paper trail and keep a digital file of all important correspondence. Another added benefit is the ability to rid the office of the bulky fax machine with all of the maintenance and upkeep that goes along with it. While it is easy to see how any office can benefit from the use of virtual fax, it may not be as obvious as to how they can do so and still stay HIPAA compliant.

There are four categories of security requirements under HIPAA and it is the consumer's responsibility, according to the HIPAA regulations, to examine the technology employed by a virtual fax provider and determine how to use it in a compliant manner. Here are some things to look for in a virtual fax provider that help medical providers maintain compliance.

1. Administrative Procedures
   A virtual fax provider should have documented, formal practices to protect data and limit access to files. Most virtual fax providers will have policies that allow access to fax messages for the purpose of maintenance, customer service, repair, and backup, or in response to legal inquiries or warrants that legally force the disclosure of the messages or documents from courts or government agencies.
   
2. Physical Safeguards
   A virtual fax provider should be able to protect data from fire, other natural and environmental hazards and intrusion. A provider should have measures in place that include an industry standard fire safety system, off-site backups, and industry standard security systems to protect Personal Health Information from physical vulnerabilities.
   
3. Technical Security Services
   A virtual fax provider should have measures in place to protect information and control individual access to information. There are usually 3 ways to access documents in a virtual fax system and each one should have their own independent security measures.
   
   
• Access to a virtual fax system by phone should be restricted with PIN access.
  
• Email delivery of virtual fax messages should be sent using encryption technology. An added security feature is the ability to have the email delivery of fax documents configured for a ZIP format with password/encryption.
  
• Virtual fax access over the internet should also be PIN protected as well as be secured by industry standard protocols and encryption algorithms. An added security feature would be that the internet portal's identity be verified by an SSL certificate.
  
  
4. Technical Security Mechanisms
   A virtual fax provider should be able to guard against unauthorized access or loss of data over the communications network. Data storage systems should implement industry standard fault tolerant measures to prevent data loss due to storage media failure. Databases and storage systems should be protected by battery backup technology to protect against potential data loss due to power failures. In addition, servers should use a measure comparable to FreeBSD UNIX to prevent unauthorized access and data security compromise.

For a medical provider in a technical world it can be difficult to keep up with all the current technology and still be sure to follow all the guidelines they are subject to. While ultimately it is the consumer's responsibility to determine whether or not a virtual fax provider allows them to maintain HIPAA compliance, many providers already have security measures in place that can help them stay within the guidelines they are subject to.

Brandi Cummings, an expert in the field of virtual telecommunications, recommends checking out Fax800.com (www.fax800.com), a leading provider of internet fax technology for small businesses.