What is a HIPAA Fax Cover Sheet?
Providers may use fax machines to transmit and receive information about patients. The HIPAA regulations do not specify exactly what information a fax or fax cover sheet containing patient information should contain. However, to ensure both the privacy and security of patient protected health information (PHI), covered entities should implement measures to prevent unauthorized or accidental disclosure of PHI that is faxed. Using a HIPAA fax cover sheet is one of these measures.
What Types of PHI are in a Fax Message?
Patient medical records, billing records, lab reports, and other sensitive medical information may be transmitted via fax. These documents contain protected health information, which may consist of (among other PHI):
- Patient names;
- Patient dates of birth;
- Patient home phone number;
- Patient medical record numbers;
- Patient health plan beneficiary numbers (health insurance ID numbers); and
- Patient Social Security numbers.
This information, as PHI, must be protected from accidental or unauthorized use or disclosure.
To Download Your HIPAA Fax Cover Sheet Click Here
What Should a HIPAA Fax Cover Sheet Contain?
A HIPAA fax cover sheet should contain the following information:
- The name of the person who is sending the information;
- The name of the sending covered entity;
- The phone number of the sending entity;
- The date and time the fax cover sheet is faxed;
- The fax number of the person or entity receiving the fax; and
- A HIPAA fax cover sheet disclaimer. A HIPAA fax cover sheet disclaimer is a message addressed to the fax recipient, that states that the faxed information is confidential. The disclaimer also should state that the transmission may contain protected health information. Finally, the HIPAA fax cover sheet disclaimer should also contain a warning that states that unauthorized viewing, reviewing, disclosing, or distributing the information in the transmission may be prohibited by the Privacy Rule or other applicable law.
What is an Example of a HIPAA Fax Cover Sheet Disclaimer?
The following is an example of a HIPAA fax cover sheet disclaimer that conveys all of this language:
“IMPORTANT: This transmission contains confidential information, which may be protected health information as defined by the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. This transmission is intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient (or an employee or agent responsible for delivering this facsimile transmission to the intended recipient), you are hereby notified that any disclosure, dissemination, distribution or copying of this information is strictly prohibited and may be subject to legal restriction or sanction. Please notify the sender by telephone (number listed above) to arrange the return or destruction of the information and all copies.”
Why Should Organizations Use a HIPAA Fax Cover Sheet?
Using a fax cover sheet can keep protected health information protected from public view when the fax is received. This is so whether a healthcare provider is faxing paper documents or sending a fax via email. Having a fax transmission protected from public view can prevent those individuals who are not authorized to access a patient’s PHI or ePHI from being able to see it (whether intentional or not) when faxes are sent.
Using a HIPAA fax cover sheet also ensures compliance with the access control standard of the Security Rule’s technical safeguard requirement. The access control standard requires entities to implement technical policies and procedures for electronic information systems that maintain ePHI, allowing access only to those persons and programs that have been given access rights.
What Other Measures Should I Take With Respect to Faxes and Fax Cover Sheets?
To reduce the possibility of unauthorized individuals gaining access to faxed PHI or ePHI, a healthcare provider can implement the following measures:
- Store fax machines used for transmitting and receiving PHI in areas that are not accessible to the general public.
- Verify the fax number to which the documents are being sent. Many fax machines contain an autodial function, which enables the machine to make multiple attempts to transmit a message until it is received. When using a fax machine with an autodial, healthcare employees should verify the fax number of the recipient to make sure the number is correct.
- Notify the fax recipient that you are about to send a fax transmission containing confidential patient information, so the recipient will know that a fax is on its way.
- Print out a delivery confirmation report for the message you have faxed. A delivery confirmation report indicates whether the fax transmission was successful. The report also indicates whether the recipient’s fax number was “busy,” or whether your machine is otherwise unable to transmit the message.