Can I Fax PHI to Other Treating Providers?
Can you fax patient records under HIPAA? Yes, but only with the right safeguards. Learn what’s allowed, what to avoid, and how to stay compliant when sharing information with other providers.
Referenced Links:
Advertisement
Transcript:
We just took a phone call the other day from a member who was asking if it was okay from a HIPAA perspective to be able to fax another provider medical records and medical information regarding one of their patients. Although some of you may be going, “Man, who’s using a fax? The actual truth is, there are many times that the fax and communicating with other providers via fax is one of those methods that works out really well. Many people still have fax machines and use that as a key way to communicate, and medical records are one of those areas that can happen with.
So, the question was, Can I actually do that? Does HIPAA allow it? And the answer is, yes, actually, HIPAA does allow it. In fact, the exact question is this: specifically, according to HHS, they had – they have an FAQ section, and this is one of the key questions: Can a physician’s office fax patient medical information to another physician’s office? Again, the answer is yes. The HIPAA privacy rule allows and permits physicians to disclose protected health information to another healthcare provider for treatment purposes. It can be done by fax or by other means. Covered entities must have in place reasonable and appropriate administrative, technical, and physical safeguards to protect the privacy of the individual.
So, what does that really mean? Well, at the end of the day, you’ve got to have reasonable safeguards in place. In other words, you’re going to, you’re going to get them the information that they have requested. You don’t always overgive; you don’t have to give everything. If it is a broad request, and many times that will happen, especially when you start when we’re talking about other providers, then you still are only going to include that minimally necessary. So, if you have individual independent financial notes, of course, that wouldn’t necessarily apply to that patient being seen by someone else; that is not the minimal necessary.
Now you also have to make sure that you have the appropriate safeguards in place, and one of the key safeguards in this area is making sure that you do get all of that information correct, that you’re not accidentally sending too much information or information from another patient’s files, and some of you may be going, “Well, of course we’re going to do that, Marc, but you need to take that extra step to ensure, so have a safeguard in place. Safeguard is the keyword here, a safeguard in place to double-check all of that information to make sure you’re only sending over specific information that they’ve requested that pertains to that particular patient.
The second is you’ve got to make sure that you’re actually sending it to the appropriate place, that’s double-checking the phone numbers to make sure that when you’re faxing them, or that fax number, when you do fax them from your fax machine, that you’re actually sending it to the appropriate place. Now, if you’re using a virtual system to send faxes, that changes the game a little bit. You want to make sure that you are using a HIPAA-compliant faxing system, and you’ll have a BAA in place, because at that stage, you’re actually passing those documents through a third party. So that’s really important that you have a BAA in place with that fax provider, if you’re doing it virtually, in other words, if you’re sending it through, you know, through PDFs, through through a system, or through a browser, or whatever else the case may be, that’s passing through another entity before it actually faxes, and in those cases, just make sure you have a BAA in place. We’ll catch you next week.
