Q. We report our laboratory results using a computer program called autofax,
which sends the results to a dedicated fax machine in a secure location at the
physician's office. The cover sheets accompanying each report are a paper burden
for physicians' offices and have generated complaints. Must we use cover sheets
with this automated process, or can each page have a header/footer stating the
disclaimer of confidential information?

A. The HIPAA privacy rule permits a health care provider, in this case the
laboratory, to disclose protected health information to another health care
provider (doctor's office) for treatment purposes. This can be done by fax or by
other means. A health care provider must have in place reasonable and
appropriate administrative, technical, and physical safeguards to protect the
privacy of health information that is disclosed using a fax machine.

Measures that could be reasonable and appropriate in such a situation include
the sender confirming that the fax number is, in fact, the correct one for the
physician's office and the recipient of the information placing the fax machine
in a secure location to prevent unauthorized access to the information.

If adequate safeguards are in place and there are assurances that the recipient
is in compliance with those safeguards, the cover sheet typically is not
necessary.

The basic test in determining compliance with this requirement is whether the
health care provider has established clear administrative (sender confirming
that the fax number is correct), physical (placement of the fax machine in a
secure location) and technical safeguards as required under HIPAA. (See HIPAA
rule 45 CFR § 164.530[c].)

Please be advised that the HIPAA privacy rule sets the standards for, among
other things, who may have access to protected health information, or PHI, while
the HIPAA security rule sets the standards for ensuring that only those who
should have access to electronic PHI, or EPHI, will have access. In developing
the security rule, which went into effect for most covered entities on April 20,
the Department of Health and Human Services is similarly requiring covered
entities to have in place appropriate administrative, physical, and technical
safeguards and to implement those safeguards reasonably. As a result, covered
entities that have implemented the privacy rule requirements in their
organizations may find that they have already taken some of the measures
necessary to comply with the security rule.

The primary distinction between the two rules is that the privacy rule applies
to all forms of patients' protected health information, whether electronic,
written, or oral, while the security rule covers only protected health
information that is in electronic form. This includes EPHI that is created,
received, maintained, or transmitted. For example, EPHI may be transmitted over
the Internet or stored on a computer, CD, disk, or magnetic tape, or in another
format. The security rule does not cover PHI that is transmitted or stored on
paper or provided orally. Therefore, if paper-to-paper faxes were not in
electronic form before the transmission, those activities are not covered by the
security rule. However, the case of an automated fax stored in some electronic
form-as outlined in the question-could be subject to the security rule
requirements. For example, the security rule states that EPHI also includes
faxback systems because they are used as input and output devices for computers.

Further clarification on the definition of "electronic media" is available in §
160.103 of the HIPAA security rule. Additional information on this rule is
available on the Centers for Medicare and Medicaid Services Web site,
www.cms.hhs.gov/hipaa/hipaa2.

It should be noted that the information provided here is intended solely for
education and communication purposes and does not constitute medical or legal
advice. The CAP expressly disclaims any and all liability for the information
provided.



Phil Bongiorno
CAP Assistant Director,
Public Health and Scientific Affairs



http://www.cap.org/apps/docs/cap_today/q_and_a/qa_05_05.html