Faxing Protected Health Information For School Nurses


To:
School Nurses
From: Anne Sheetz, Director, School Health Unit and Tracy A. Miller, Privacy Officer
Re: Faxing Protected Health Information
Date: July 15, 2003

 

There are two questions that frequently arise in relation to the use of fax machines under the HIPAA Privacy Rule:

1. Can a covered entity under HIPAA (for example a physician or other licensed health care provider) fax protected health information (PHI)?

2. Under the Privacy Rule can a covered entity honor an individual authorization form that is a faxed copy rather than the original form?

1. Can a covered entity fax protected health information (PHI)?

In December of 2002 the Office of Civil Rights issued guidance answering this question: 1

Q: Can a physician's office FAX patient medical information to another physician's office? A: The HIPAA Privacy Rule permits physicians to disclose protected health information to another health care provider for treatment purposes. This can be done by fax or by other means. Covered entities must have in place reasonable and appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information that is disclosed using a fax machine. Examples of measures that could be reasonable and appropriate in such a situation include the sender confirming that the fax number to be used is in fact the correct one for the other physician's office, and placing the fax machine in a secure location to prevent unauthorized access to the information. See 45 C.F.R. 164.530(c). 2

To determine whether PHI may be faxed, the appropriate analysis is to ask:

a. Is the disclosure allowed under HIPAA and other applicable laws? and,
b. If so, are there in place "reasonable and appropriate administrative, technical, and physical safeguards" to protect the privacy of the PHI that is disclosed by fax?

a. Is the disclosure allowed under HIPAA and other applicable laws?

Covered entities must first be sure they are authorized to disclose the PHI under HIPAA. Under the Privacy Rule a covered provider may appropriately disclose to a school nurse PHI including, but not limited to, the following:

1. Immunization records, which may be disclosed to a school nurse without individual authorization pursuant to 45 CFR § 164.512(b). 3
2. PHI for which there is an individual authorization;
3. PHI necessary for the treatment of the child. The provider may disclose treatment information to a school nurse, regardless of whether the school nurse is also a covered entity. 45 CFR § 164.506 (c) (1) or (2).

b. Are there in place "reasonable and appropriate administrative, technical, and physical safeguards" to protect the privacy of the PHI that is disclosed by fax?

Once it is determined that the provider may disclose PHI to the school nurse, then the manner of disclosure must be reviewed. PHI may be disclosed by fax, provided that appropriate safeguards are in place.

Although school nurses are typically not covered entities under HIPAA, they should, nonetheless, develop and follow reasonable and appropriate safeguards for receiving as well as disclosing PHI by fax. Before covered entities will fax PHI to school nurses, they will likely require assurances that the school nurse has appropriate safeguards in place. Such safeguards may include, for example, procedures to assure that the fax is in a secure location accessed only by staff authorized to see PHI or procedures that assure that an authorized staff member is at the fax to receive the faxed PHI.

2. Under the Privacy Rule can a covered entity honor an individual authorization form that is a faxed copy rather than the original form?

Yes. HHS stated with respect to this question that covered entities may rely upon a faxed copy of an individual authorization form as long as it is legible. The original is not required to meet the covered entity's responsibilities under the Privacy Rule. 4 HHS also considers a copy or electronically transmitted version of a signed authorization a valid authorization under the Privacy Rule.

1Dept. Health & Human Servs., Office of Civil Rights, OCR Guidance Explaining Significant Aspects of the Privacy Rule, Dec. 3, 2003, p. 119.

2§ 164.530 (c) Administrative requirements. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.

3Refer to MDPH memo from Tracy A. Miller and Howard Saxner regarding Immunization Records.

4 "In accordance with the requirements of § 164.530(j), the covered entity must retain a written record of authorization forms signed by the individual. Covered entities [may] rely on copies of authorizations " 65 Fed. Reg. 82660 (Dec. 28, 2000). Note that the Social Security Administration has taken an active role in clarifying the acceptability of using faxes under HIPAA. See Soc. Security Admin., HIPAA and the Social Security Disability Programs: Information for Consultative Examination Providers - Fact Sheet, (viewed July 7, 2003).

 


This information is provided by the School Health Services within the Department of Public Health.