Phone Lines and Faxes and HIPAA (Oh My!)
- David Craig, MD
- September 10, 2016
- October 26, 2023
We’ve covered HIPAA and modern medical communication in previous posts on texting and mobile phones, but you might have noticed that we haven’t said anything about the law and how it relates to older electronic technologies like faxes or actual phone calls. In light of this, here is an orderly set of realizations that might have you worried:
- The HIPAA Security Rule covers electronic protected health information (ePHI), which is generally taken to be all individually identifiable health information that a healthcare provider possesses or transmits in electronic form.
- The HIPAA Security Rule mandates that you maintain “technical safeguards” on ePHI, which almost always includes the use of encryption in all activities.
- All phone calls and faxes are fundamentally transmitted electronically, and you cannot inspect or control the encryption practices of the phone system that transmits them.
- Phone calls and faxes of patient information are electronic transmissions that might not meet the standards of the HIPAA Security Rule!
So Is It a HIPAA Violation Every Time I Call or Fax?
No, and that’s because typical phone calls and faxes are not considered ePHI. There is a crucial flaw in the logic above that will prove this, but to find it, we have to dig through some definitions in the actual Code of Federal Regulations (CFR) sections that make up HIPAA.[1] The definitions are all in 45 CFR § 160.103 if you want to follow along at home. Let’s get started!
First, let’s get the official definition of “protected health information” (PHI) that is so critical to HIPAA:
Protected health information means individually identifiable health information:
(1) Except as provided in paragraph (2) of this definition, that is:
(i) Transmitted by electronic media;
(ii) Maintained in electronic media; or
(iii) Transmitted or maintained in any other form or medium.
The “paragraph (2)” that is referenced includes four exceptions that are not relevant to our question today; feel free to check them out on your own. Fun fact, though: exception #4 says that if you’ve been dead more than 50 years, your health information can’t be PHI any longer.
Ok, let’s get back on track. That definition above tells us that “individually identifiable health information” qualifies as PHI if it is transmitted or maintained by electronic media or if it is transmitted or maintained not by electronic media. Great! Wait…that seems like a very circuitous way of saying that all such information is PHI, regardless of the media.
That is correct, so why does the CFR bother to include those electronic media references? Simple: they are for use in later definitions. Let’s check the definition of electronic PHI, for example:
Electronic protected health information means information that comes within paragraphs (1)(i) or (1)(ii) of the definition of protected health information as specified in this section.
Ok, so putting the two definitions together, we can figure out that ePHI is any PHI that is transmitted or maintained by electronic media. Now let’s see what electronic media is:
Electronic media means:
(1) Electronic storage material on which data is or may be recorded electronically, including, for example, devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card;
(2) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet, extranet or intranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media.
[*SNIPPPPP*]
Don’t mind the little bit “snipped” at the end; we’ll cover that in just a second. Focusing on the definition, it sure seems like telephone systems that electronically transmit phone calls and faxes would qualify as electronic media. That would subject all PHI flowing across them to the full force of the HIPAA Security Rule. But here’s the critical bit that we snipped off the end of the above definition of electronic media:
Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission.
Hallelujah! The actual letter of the HIPAA law includes a codified exemption for typical phone calls and faxes.
Your typical phone call or fax may contain PHI, so it is still subject to the HIPAA Privacy Rule, but it is not considered to be a transmission on electronic media, so it will not be ePHI, and it will therefore not be subject to the HIPAA Security Rule. Huge difference.
With that said, the exemption is narrow and it can be easy to violate. Let’s see how that can happen…
When Does a Call or Fax Become ePHI?
It is critical to note that the CFR definition that exempts standard phone calls and faxes from being ePHI applies only to their transmission and does not comment on their storage. Because of this, if you are storing voicemails or faxes electronically, these will certainly qualify as ePHI.
Most standard voicemail and electronic fax systems will not use storage with technical safeguards (e.g., encryption) that are adequate for protecting ePHI, and this is a serious point to consider.
There are several possible answers. For instance, your organization may decide, after a thorough risk analysis, that you will still accept standard patient voicemails but that you will review and delete them quickly after transferring their contents to your secure electronic medical record. This approach would minimize the exposure of voicemail ePHI to subpar technical safeguarding while still preserving the data integrity of the ePHI and allowing your patients the benefit of leaving you voicemails. Depending on your organization’s abilities and pragmatic constraints, this type of system might pass muster under the HIPAA Security Rule.
It is easier, however, simply to choose voicemail and fax systems that possess adequate technical safeguards for ePHI storage. Such solutions should be designed with healthcare in mind, and they should sign a business associate agreement (BAA) with you to cover these activities.
Speaking of BAAs, you might be wondering if the phone company or your internet service provider counts as your “business associate” under HIPAA, since you are using their services to transmit PHI. Let’s find out.
Is the Phone Company My Business Associate Under HIPAA?
Nope. You may send PHI over the telephone lines, but the phone company does not count as your “business associate” under HIPAA, just like the postal service doesn’t count as your business associate if you mail patient records to somebody.
Let’s go back to the 45 CFR § 160.103 definitions again, and check out part of the business associate definition:
(i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.
Ok, so somebody providing “data transmission services” for PHI sounds like a business associate. But there’s an important catch: that person must “require access on a routine basis” to the PHI as part of the service they are providing.
That final clause creates what is referred to in HIPAA regulation as the “conduit exception.” The word “conduit” does not appear in the actual CFR, but the Department of Human Health and Services (HHS), which wrote and administers the HIPAA regulations, refers to it that way, so we will too.
According to HHS:[2]
Regarding what it means to have ‘‘access on a routine basis’’ to protected health information with respect to determining which types of data transmission services are business associates versus mere conduits, such a determination will be fact specific based on the nature of the services provided and the extent to which the entity needs access to protected health information to perform the service for the covered entity. The conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services, such as the U.S. Postal Service or United Parcel Service and their electronic equivalents, such as internet service providers (ISPs) providing mere data transmission services. As we have stated in prior guidance, a conduit transports information but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law.
Ok, so “mere data transmission” doesn’t necessarily make somebody a business associate, but what about storage? Also from HHS:
We note that the conduit exception is limited to transmission services (whether digital or hard copy), including any temporary storage of transmitted data incident to such transmission. In contrast, an entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information.
This is fairly plain guidance. The phone company can transmit your calls and other data without being a business associate, but you can’t use it to store your voicemails, texts, faxes, or anything else. Not unless you can get it to sign a BAA.
In most cases, thanks to the definition of “electronic media” and the conduit exception, the use of typical phone calls and faxes should not put you in peril with regard to the HIPAA Security Rule and the HIPAA requirements for business associates.
As always, in order to be fully compliant, you must perform a full risk analysis and, as part of that, decide what your needs and practices as an organization are going to be. But, yeah, phone calls and faxes will probably be okay.
This article is part of a series of posts relating to HIPAA law and regulation. The information provided is meant as general guidance only and is not intended to be legal advice.
References:
- 45 CFR § 160, 162, and 164
- Office for Civil Rights (OCR), Department of Health and Human Services (HHS). 45 CFR Parts 160 and 164: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules. Fed. Regist. 78, 5566–5702 (2013).