Setting up my medical office with Ooma and wonder about HIPAA compliance. For example, the inbound faxes copy to email, a function that I like, but is that HIPAA compliant? Just wondering.
I have worked with some HIPAA compliant offices, and I would assume in this case it depends on who has access to the email.
If the fax is being sent to a general email box that is accessible by all office workers (or accessible by staff that does not have a need to know patient’s medical details) then it is probably out of compliance.
My suggestion would be to forward the fax to an email address that only the practice’s administrator (you?), and only persons that have a need-to-know, should have the email password. I would also make the password somewhat difficult to guess, and also rotate the passwords on a regular basis.
You might also consider getting a secure flash drive (one that’s hardware encrypted) and copy the faxes from the email program to the flash drive for safekeeping. Then, erase them from your email program (and empty the trash). If the faxes are really critical and must be safeguarded, you can even copy the flash drive to another secure one for backup purposes.
Nothing is 100% fail-safe, and that percentage drops with the more people that have access to HIPAA data. Limit the number of people that have access to the email, and you should be within compliance.
Hope that helps,
Thanks Jonathan for the thoughtful and thorough response. Yes, I can limit access to that email. I was just not sure that email was considered – even with nascent 128-bit encryption – HIPAA compliant at all. Really what I want is ALL faxes, ingoing and outgoing, from the digital server (wherever it be) moved (not copied) to my local file server, for easy reference, security, etc. But I just got this thing and I’m still trying to figure it out. If not robust enough, I’ll buy enterprise level stuff to get what I perceive that I need, though I really don’t want to as it is overkill in some many areas.
First thing is first; anything claiming to be HIPAA COMPLIANT is lying.
By definition, that would mean should HIPAA wake up one morning & change their laws, this ‘compliant’ entity would be fully synchronized with such changes.
HIPAA READY is more appropriate.
In case you haven’t guessed, YES, I’m in the Healthcare IT sector.
Ooma Office is not only HIPAA Ready, I personally use it for my consulting company.
HIPAA Ready, then. Fair enough. Was concerned as the incoming faxes, with all of their attendant medical information, are resident on a server in some farm somewhere out there.
Really, my greater concern right now is the file size limit for faxing, about which I recently posted. http://www.ooma.com/forums/viewtopic.php?f=18&t=19275.
I know this is an old topic… but under no circumstances should anyone assume that email is HIPAA compliant. Owing to the way in which it’s implemented, it is not secure. Any email you write anywhere is “readable” by any system administrator at any system through which the email passes… and this could be tens or hundreds of different computers across the internet. The only secure email, is that which has been encrypted by the user’s email client… not very common and that’s something not done by any consumer or normal business fax machine.
I was surprised by the IT person’s response, in this thread, who stated he works in a medical office… definitely do not use email to send patient information (without asking their permission first and advising them of the insecurity of email)… and that includes the virtual fax.
Now, having said all that… you can make email HIPAA compliant in a number of ways, but don’t assume your email system is compliant without talking to a knowledgeable IT consultant.