Is HelloFax HIPAA Compliant?
Is HelloFax HIPAA compliant? Can HelloFax be used by healthcare organizations to send files containing protected health information, or would doing so be considered a violation of HIPAA Rules? In this post we explore the protections in place and attempt to determine whether HelloFax can be considered a HIPAA compliant fax service.
The HIPAA Conduit Exception and Fax Transmissions
It is important to make a distinction between standard faxes and digital faxing services. Standard fax machines, those which are used to transmit a physical document from one fax machine to another, have long been used by healthcare organizations, and in many cases, to transmit documents containing protected health information.
Transmissions are sent without first entering into a business associate agreement – or BAA – with telecommunications companies. That is because telecoms firms, such as AT&T, are covered by the HIPAA conduit exception rule.
The HIPAA conduit exception is covered in more detail here, although in short, it details the types of communications services do not require a business associate agreement – Services that are merely conduits through which information flows. Any information sent by standard fax, or is communicated over the telephone, is not subject to HIPAA laws in the same way that other communications channels such as SMS and VOIP are.
However, digital fax services such as HelloFax are not included under the HIPAA conduit exception rule, therefore, the use of the service for sending any documents containing PHI would be subject to HIPAA Rules. So, is HelloFax HIPAA compliant, and can it be used by healthcare organizations and other entities bound by HIPAA Rules?
Is HelloFax HIPAA Compliant?
It is important to note that no software, product, or service can be considered truly HIPAA compliant, as HIPAA compliance depends on users of the software, product, or service. It is more a case of whether a product or service can be used in a HIPAA compliant manner without violating the HIPAA Privacy or Security Rules.
In order for any communications channel to be considered by a HIPAA-covered entity or business associate of a covered entity, it is necessary to ensure that appropriate safeguards are in place to ensure the confidentiality, integrity, and availability of PHI.
In this regard, HelloFax ticks the right boxes. Fax transmissions are protected with end-to-end encryption from sender to receiver. The method of encryption used for data in transit and at rest is AES-256-bit, which certainly meets the minimum standards for data encryption required by HIPAA.
In addition, each unique key is encrypted with a regularly rotated master key, so even if the hard drive on the machine on which the fax was sent/received was accessed, it would not be possible to view data. HelloFax also has strict controls in place to ensure its data center is physically secured. The company claims it has “bank-grade” physical and digital security.
While security appears not to be an issue, there is the issue of the business associate agreement, which is a requirement. There is no mention of a BAA on the main website at the time of writing, although there is a post in the company blog – dated May 17, 2017 – confirming that the service is now SOC 2 and HIPAA compliant. HelloFax has been independently verified as meeting HIPAA security standards by an (unnamed) independent third-party. HelloSign will sign a BAA with HIPAA-covered entities who wish to use its HelloFax service.
HelloSign states, “For customers who are subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA), HelloSign can also support HIPAA compliance. HelloSign now has the ability to sign a Business Associate Agreement (BAA) with any of our customers in the healthcare, pharmaceutical, and insurance industries. Under a BAA we are bound to operate specific controls to protect your electronic protected health information (ePHI).” However ,at the time of publication, the BAA is not offered to all HIPAA covered entities, only those with a minimum annual spend of $10,000.
So, is HelloFax HIPAA compliant? In our opinion, HelloFax is not covered by the HIPAA conduit exception rule, so provided a business associate agreement has been obtained, and users ensure access controls are implemented, HelloFax can be considered a HIPAA compliant fax service.