14.33 Facsimile Machine Security
14.33.1 POLICY STATEMENT
The Health Plan utilizes facsimile (fax) machines to transmit data from one location to another on a routine basis. The Health Plan will provide physical and procedural safeguards to minimize the possibility of unauthorized observation or access to protected health information (PHI) during the transmission or receipt of data via a facsimile machine. This policy outlines the required elements for a secure location of a facsimile machine. The procedure establishes guidelines for how the Health Plan will reasonably safeguard the transmission and receipt of PHI via a facsimile machine to limit incidental or accidental use or disclosure of PHI.
14.33.2 POLICY INTERPRETATION AND IMPLEMENTATION
| Secure Location | Fax machines used to transmit or receive PHI shall be placed in secure locations. Whenever possible, fax machines used to receive PHI will not be used regularly for other purposes. |
| Pre-Programmed Numbers | Frequently used destination numbers will be pre-programmed into fax machines and tested before being used to transmit PHI. Each fax machine will display a key that identifies the destination for each pre-programmed fax number. |
| Non Pre-Programmed Numbers | When PHI is faxed to a destination number that is not pre-programmed, the fax machine operator will double-check the accuracy of the number in the machine’s display before sending the fax. |
| Cover Letter | All fax messages will include a standard cover sheet, developed by the Privacy Officer, with the following (or substantially similar) statement:Confidentiality Statement: The documents accompanying this transmission contain confidential health information that is legally privileged. This information is intended only for the use of the individuals or entities listed above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. If you have received this information in error, please notify the sender immediately and arrange for the return or destruction of these documents. |
| Transmittal Sheets | Transmittal sheets will be checked immediately after each transmission of PHI, to assure that the information was sent to the correct number. |
| Misdirected Faxes | If PHI has been sent to the wrong fax number, the sender must immediately send a second fax to the number that was contacted in error, reiterating the confidentiality message, and asking the recipient to telephone the sender immediately to arrange proper disposition of the information. Any instance of transmitting PHI to the wrong destination number must be reported to the Privacy Officer immediately. The report must include the date, time, the wrong number, the correct number, the intended recipient, the identity of the member, and a brief description of the information that was transmitted in error. Transmission of PHI by fax to a wrong number must be included in an accounting of disclosures of PHI. |
| Received Faxes | Prior to distribution of a received fax message, the fax message must be reviewed to make sure that all pages that belong to that fax message have been received and are together, and pages that belong to other fax messages are not included. The cover sheet received with the message, if any, will be placed on top of the message. |
| Record Retention | A copy of all HIPAA covered information and any revisions shall be maintained for a period of at least six (6) years. Such retention may be in printed or electronic format, or both. |
| Privacy Officer | The Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about HIPAA rights should be directed to the Privacy Officer during regular business office hours Monday through Friday, except holidays at (651) 696-6280. |
| Violations | Violations of this policy will be subject to discipline. |
| Effective Date | April 14, 2004 |