Seema Verma, the administrator of the Center for Medicare and Medicaid Services at the Department of Health and Human Services wants fax machines out of doctor’s offices by 2020.
She wants them out of doctor’s offices because they are not cool. She wants to replace them with super-non-secure apps for your phone that are way cool, but even less secure than that crappy fax machine.
She says that physicians are stuck in the 1990s, hence their use of fax machines, I guess. She says that doctors are still taking notes on paper (not any doctor that I use, but I am sure there are some). This is causing physician burnout. Ask a physician about what is causing burnout – #1 is dealing with CMS and insurance companies and #2 is having to use those really bad apps that have already been developed Seema.
I guess she never heard of the breaches of all of the different Blue Cross affiliates a few years ago. I am sure that if we collect all of that healthcare data in poorly written apps, no one will ever hack those repositories. After all, what could go wrong?
We do have to remember that she is required to be a cheerleader for whatever the administration in power wants, so take all this with a grain of salt.
HOWEVER, it is fair to look at fax machines.
WHY do people still use them? Because they are ubiquitous. They are everywhere. In Japan, something like a third of the private households have fax machines. That is a feat that very few countries can match, but almost every business has a fax number (actually, we do not!).
One reason that people use them is that they are SECURE. I am not sure what illegal substance the person who came up with that idea was ingesting, but they were not sharing.
Anyone ever get a fax that was not destined for them?
Anyone ever get a fax not destined for them that contained sensitive information? VERY sensitive information?
Anyone ever see that sensitive fax just sitting on the fax machine?
Anyone ever see something on the fax machine, look at it, decide it was not for them and read it anyway?
How many people have a fax number that is tied to an electronic fax service like eFax or Concord fax?
So, the sender sends a fax to be secure. Manages to dial the right number. Sends the fax to some third party with unknown security. Who takes that fax and sends it to you in an email.
WHY NOT JUST EMAIL IT IN THE FIRST PLACE. THAT WOULD BE CHEAPER, FOR SURE, AND, GIVEN THERE ARE A LOT LESS MOVING PARTS, PROBABLY MORE SECURE, TOO.
To be fair, some fax services offer secure fax where they send you an email that you have a fax and then you have to log in and download it. AND THEN YOU FORWARD THAT FAX VIA EMAIL TO YOUR COWORKERS.
Do you see a problem here?
Bottom line is faxes are not secure and should not be perceived to be secure.
So what is there to do?
First of all, if you are using faxes because email is not secure, do not use a fax to email service.
If you are using a fax to email service, you need to do a security risk assessment on the service provider. IF YOU ARE A DOCTOR OR OTHER HEALTHCARE PROVIDER, THAT FAX SERVICE IS A BUSINESS ASSOCIATE UNDER HIPAA REGULATIONS AND YOU NEED TO HAVE A SIGNED AND AUDITED BAA WITH THAT SERVICE PROVIDER. If the service provider won’t sign the BAA, you are breaking the law and risking a fine by using them!
Again, if you have to use fax to email, use a service that offers a secure mailbox that allows you to download the fax over an encrypted channel.
If you are using one of those old fashioned fax machines, make sure that the inbound faxes can be secured until picked up by the RIGHTFUL owner.
If you are using one of those new fangled multi-purpose print/copy/fax machines, understand those machines have a hard disk in them (except for the very cheapest ones) and must be disposed of securely at the end of the lease or when ready to be discarded. Higher end machines have hard disks that can be removed by a technician and given to you to shred (yes, really). Lower end ones are not designed that way and you may wind up destroying the machine to get the disk out. But do that anyway.
A much better way to deal with the problem is to create a SECURE web portal to replace that fax machine. Remember the goal is not to replace one insecure technology with another insecure technology.
By the way, IF THE PORTAL IS HOSTED, THEY ARE STILL A HIPAA BUSINESS ASSOCIATE. Sorry!
If all of this gives you a headache, contact us to help you sort this out.
Source: Healthcare IT News