HIPAA Compliant Faxing

A secure HIPAA (Health Insurance Portability & Accountability Act) compliant online fax solution for healthcare

We understand the sensitivities and the seriousness associated with keeping patient healthcare data private and secure and that’s why we have looked into details of all administrative, physical and technical safeguard specifications with fine precision, mitigating all HIPAA requirements to safeguard our customers’ data, individuals’ protected health information (PHI) and electronic protected health information (ePHI).
This is why healthcare providers, insurance companies and other covered entities trust FAX.PLUS to transmit their most sensitive documents.

FAX.PLUS is HIPAA compliant, provided the user has advanced security controls activated and enters into a business associate agreement (BAA) with us. Advanced security controls are available on the Enterprise plan tier.

The following FAX.PLUS HIPAA Compliance Statement is intended to inform our customers who are “covered entities” under HIPAA that we are aware of their HIPAA requirements and will do our part to help ensure that their patient data is kept confidential. This Statement is not intended to take the place of a Business Associate Agreement.

We have instituted policies and procedures to ensure that our customers’ data is kept confidential. These include (not limited to) the following:

Access Control

The FAX.PLUS online fax solution includes unique user identification, administrator privileges to grant and remove access, next generation (256-bit AES) encryption and other protocols to limit access to your organization’s authorized personnel only. Inbound documents may be sent to only the intended recipient’s email, limiting exposure and disclosure risks associated with faxing to a physical fax machine.

Data Encryption & Transmission Security

HIPAA requires careful attention be paid to data that is in motion and at rest. All fax files at rest are encrypted using 256-bit Advanced Encryption Standard (AES). To protect data in transit between FAX.PLUS apps (currently mobile, API, or web) and our servers, we use Secure Sockets Layer (SSL)/Transport Layer Security (TLS) for data transfer, creating a secure tunnel protected by 128-bit or higher Advanced Encryption Standard (AES) encryption.

Audit Control

FAX.PLUS employs multiple levels of audit control — from secure and automatic archiving of all faxes sent or received through FAX.PLUS for the life of your organization’s account, to software and procedural mechanisms that record and examine activity in information systems that contain or use ePHI.

User Authentication

Users can access the FAX.PLUS service via Email or online only with a valid username and password combination which are SSL encrypted. An encrypted session ID cookie is used to uniquely identify each user. While logged into our servers, all communications will be encrypted at all times.

No Storage Option

Users have the option to not save their fax data on our servers. Once activated, the user gets received faxes via email and nothing is stored on our servers. The same applies for sent faxes, in which we delete the fax data as soon as the transmission has been completed.

Proper Disposal of Data

At the end of a Covered Entity’s contract with FAX.PLUS, they may request their data to be deleted from the FAX.PLUS Servers. No printed reports or paper copies are ever retained in our facility. If reports are ever printed to further support the Covered Entity, they are shredded immediately upon completion of the task that required the paper output.

Highly Secure Data Centers

Our datacenters are in locations conforming to the most restrictive security standards (ISO 27001) and they are part of the Cloud Security Alliance (CSA). They also conform to the OCF Level 1, having completed their Cloud Control Matrix which maps to the following selected frameworks: COBIT, HIPAA / HITECH Act, ISO/IEC 27001-2005, NISTSP800-53, FedRAMP, PCI DSSv2.0, BITS Shared Assessments, GAPP.

Information Security

We’re always assessing risks and improving the security, confidentiality, integrity, and availability of our systems. We regularly review and update security policies, provide our employees with security training, perform application and network security testing (including penetration testing), conduct risk assessments, and monitor compliance with security policies.

Other Privacy and Security Rules:

  • 256 bit AES encryption on stored faxes
  • COMODO SSL Certificate (SSL/TSL creates a secure tunnel protected by 128-bit or higher Advanced Encryption Standard (AES) encryption).
  • Data backups stored in secured safe, world class data centers.
  • Account owner authentication
  • Restricted outside access to all servers and production workstations
  • Sophisticated monitoring and escalation system
  • Automated data backups
  • Automated virus checking
  • Report any non-compliance of which we become aware
  • Notice of data breach
  • Access to production systems is restricted with unique SSH key pairs, and security policies and procedures require protection of SSH keys. An internal system manages the secure public key exchange process, and private keys are stored securely.
  • All employees complete thorough background checks and are required to sign a confidentiality agreement as part of their employment contract
  • All employees receive training on our policies and procedures according to HIPAA mandates.
  • Named a HIPAA Security Official who creates, maintains, and trains regarding our HIPAA policies and procedures.

Business Associate Agreement (BAA)

We sign Business Associate Agreement (BAA) with users of our Enterprise plan.