This article addresses when it is permissible to use Fax over IP (FoIP) to send or receive HIPAA protected information.
Details
The University is required under most circumstances to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and to protect HIPAA data categorized as Electronic Protected Health Information (ePHI).
The University email system is not approved to store ePHI. The following restrictions are also in place when working with ePHI/HIPAA documents.
- Faxed documents received by the University containing ePHI may not be sent via email, whether directly from the Xmedius server or from a MFP.
- Faxed documents sent by the University containing ePHI may not be sent via email to the XMedius server or a MFP.
Use of fax services through the XMedius server is only authorized for HIPAA/ePHI in the below configuration.
OUTGOING FAX
Faxes containing HIPAA/ePHI data may be scanned directly on a Xerox Multi-function Printer (MFP) for transmission through the XMedius server. The content is not stored on the MFP and is securely transferred (encrypted) to the XMedius Server.
INCOMING FAX
Faxes containing HIPAA/ePHI data must only be accessed through the XMedius web application and must not be automatically forwarded to a University email account.
PRINTING FAX
Received faxes that require printing may be printed on a UMS:IT-deployed Xerox multi-function printer. Using this method, print jobs are securely transmitted to a secure PaperCut print server and then printed only when the user's proximity card is presented at a printer. The print content is not stored on the printer. A printer connected directly to the computer (i.e. through USB, SCSI, Firewire, parallel port or similar non-networked connection) is also permitted..
Environment
- HIPAA protected information
- Fax over IP