GoFax HIPAA Compliance

GoFax HIPAA Compliance

Ensure your organisations meets strict HIPAA requirements for healthcare.

When it comes to transmitting sensitive patient information in the healthcare industry, it’s essential to have the highest level of security, privacy and safeguards in place to ensure data is protected. GoFax has been built to ensure the privacy and security of electronic information, providing total peace of mind in your fax & SMS messaging. We have a range of powerful features to support your organisation in meeting and maintaining HIPAA compliance obligations.

What is HIPAA compliance?

 

HIPAA is the 1966 American Health Insurance Portability and Accountability Act. It was created to ensure the confidentiality and security around the transmission of patient information in the healthcare industry, referred to as protected health information (PHI) and electronic protected health information (ePHI).

What is HIPAA compliance

As stated in the Act:

Anyone who maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards:

  • To ensure the integrity and confidentiality of the information,
  • To protect against any reasonably anticipated
  • Threats or hazards to the security or integrity of the information and
  • Unauthorized uses or disclosures of the information, and
  • Otherwise, to ensure compliance with this part by the officers and employees of such person.

 

There are 3 key rules of HIPAA compliance. These include Privacy, Security and Breach Notification.

GoFax meets HIPAA rules through stringent policies, procedures, training & system capabilites.

 

GoFax helps organisations meet HIPAA requirements across all rules through stringent policies, procedures, training and system capabilities built to ensure data is secure and confidentiality is maintained.

GoFax meets HIPAA rules through stringent policies, procedures, training & system capabilites.

Below lists how GoFax has achieved HIPAA compliance and the key HIPAA standards, the safeguards required for HIPAA compliance and the system features vs optional features available on GoFax to support your organisation in HIPAA compliance.

HIPAA Practices GoFax Compliance Measures GoFax Optional Included Features GoFax Optional Add-On Features
164.312(e)(2)(ii)

Have you implemented a mechanism to encrypt EPHI whenever deemed appropriate? (A)

All information and fax/SMS messages passed within GoFax systems and carriers is encrypted at-rest and in-transit Optional included features are available to secure messages you send or receive to/from GoFax, these include:

  • TLS encryption on email
  • S/MIME encryption on email
  • SSL on websites. Any fax/SMS messages sent or retrieve via your GoFax dashboard are securely accessed via HTTPS
  • Secure App. Securely send/receive messages via the GoFax App
  • API. Parse messages securely via the GoFax API
  • GoFax Print Driver
Optional add on features are available to secure messages you send or receive to/from GoFax, these include:

  • Secure FTP
  • Custom 3rd party integrations
164.312(e)(2)(i)

Have you implemented security measures to ensure that electronically transmitted EPHI is not improperly modified without detection until disposed of? (A)

All fax messages are converted using industry leading file conversion technology and securely stored online All fax messages are securely converted and processed for transmission. The original files available for viewing within your secure web portal as per GoFax standard data retention period unless ‘Auto Delete’ is enabled. An extensive range of supported fax file types available.
164.312(c)(1)

Integrity: Implement policies and procedures to protect EPHI from improper alteration or destruction.

Automated data backup and data retention. All data is securely backed up both locally and via cloud with encryption, hourly and daily. Default data retention of 90 days. Optional add on features are available to have custom data retention periods.
164.312(e)(1)

Transmission Security: Implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network.

Masking of fax/SMS content to non-privileged users. Fax and SMS content is masked (inaccessible) so that non-privileged users are unable to view your message content, ensuring ePHI is not available for general support
164.312(e)(1)

Transmission Security: Implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network.

Secure file storage for support related enquires Optional secure ‘File Storage’ feature for the transfer and storage of data. The File Storage option can be used to securely store and/or pass on information to GoFax Support.
164.312(e)(1)

Transmission Security: Implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network.

Auto-delete on sent or received faxes Once enabled, this setting will automatically delete fax messages off GoFax servers once a fax message is received or once the fax transmission is complete.
164.312(a)(2)(i)

Have you assigned a unique name and/or number for identifying and tracking user identity? (R)

User Authentication The GoFax secure web portal and GoFax App are only accessible after authentication of username and password. Services can be access via API by use of API token.
164.312(a)(2)(i)

Have you assigned a unique name and/or number for identifying and tracking user identity? (R)

User Authentication Optional two factor authentication can be enabled to ensure that only authorized users are able to access sensitive data and information.
164.312(a)(1)

Access Controls: Implement technical policies and procedures for electronic information systems that maintain EPHI to allow access only to those persons or software programs that have been granted access rights as specified in Sec. 164.308(a)(4).

Access Permissions Sender Policy Framework (SPF) is an optional setting available to activate as an optional security layer for your account.
164.312(a)(1)

Access Controls: Implement technical policies and procedures for electronic information systems that maintain EPHI to allow access only to those persons or software programs that have been granted access rights as specified in Sec. 164.308(a)(4).

Access Permissions To provide greater organisational control and security, optional ‘Sub User’ profile can be created under your primary account to restrict access to information including restrictions on fax/SMS content.
164.312(a)(2)(iii)

Have you implemented procedures that terminate an electronic session after a predetermined time of inactivity? (A)

Idle timeout feature. GoFax users will automatically be logged out after 15 minutes of inactivity,
or when web browser is closed, unless the ‘Remember Me’ is selected.
164.312(b)

Have you implemented Audit Controls, hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI? (R)

Account audit log.

Audit logs allow GoFax Support to review audit trails of changes to your GoFax account, login activity and more.

164.312(b)

Have you implemented Audit Controls, hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI? (R)

Ability to regularly review records of activity All GoFax users with assigned primary account privileges e.g. Authorised Account Holder, have access to their secure online account, providing a comprehensive downloadable history of all faxes/SMS sent and received.

 

HIPAA Standard GoFax Compliance Measures
164.310(a)(2)(ii)Have you implemented policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft? (A) Equipment Security Measures. Our GoFax servers and equipment are securely hosted within a dedicated secure environment with the highest of security standards and restricted access.
164.310(a)(1)

Facility Access Controls: Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.

Facility Access Controls. Procedures are in place to control and validate GoFax employee access to all facilities used to house ePHI based systems.
164.310(a)(2)(iii)

Have you implemented procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision? (A)

Employee/Business Associate Access Controls and Validation. GoFax implement appropriate procedures to control and validate only authorised employees and business associates have access to required systems.
164.310(b)

Have you implemented policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access EPHI? (R)

Policies and procedures to ensure security of mobile devices, workstations, as well as access controls based on role and permission requirements.
164.310(c)

Have you implemented physical safeguards for all workstations that access EPHI to restrict access to authorized users? (R)

Workstation security measures in place. Privileged users can only access ePHI on for support purposes
164.310(c)

Have you implemented physical safeguards for all workstations that access EPHI to restrict access to authorized users? (R)

IP restrictions in place to restrict access to approved users only.

 

HIPAA Standard GoFax Compliance Measures
164.308(a)(8)

Have you established a plan for periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of EPHI, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart? (R)

Contingency plans and emergency procedures are in place to ensure ePHI is protected.

GoFax has established policies and procedures to ensure that as an organization, we are able to secure the continuation of critical business processes and ensure the protection of ePHI during an emergency

164.308(a)(6)(i)

Security Incident Procedures: Implement policies and procedures to address security incidents.

Responding promptly to detect security incidents. GoFax implements policies and procedures to address security incidents. GoFax ensures that all reports are handled correctly and that the appropriate documentation is recorded as per the HIPAA guidelines and rules.
164.308(a)(3)(i)

Workforce Security: Implement policies and procedures to ensure that all members of its workforce have appropriate access to EPHI, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information (EPHI).

Implementing written policies, procedures, and standards of conduct. We have several policies and procedures that promote our commitment to ensuring HIPAA compliance is maintained throughout the entire organisation. These policies, procedures and standards of conduct ensure our employees understand how to carry out their job functions correctly to ensure compliance. These are reviewed periodically.
164.308(a)(5)(i)

Security Awareness and Training: Implement a security awareness and training program for all members of its workforce (including management).

Conducting effective training and education. All GoFax employees receive mandatory and ongoing training on HIPAA compliance.
164.308(a)(1)(ii)(D)

Have you implemented procedures to regularly review records of activity such as audit logs, access reports, and security incident tracking? (R)

Conducting internal monitoring and auditing. Our HIPAA compliance co-ordinator and committee conduct regular audits and assessments to ensure the effectiveness of the HIPAA education and provide regular risk assessments of potential privacy issues. We conduct internal compliance audits to ensure organizational procedures, structure and technical infrastructure are optimized to protect customer data.
164.308(a)(1)(ii)(C)

Do you have formal sanctions against employees who fail to comply with security policies and procedures? (R)

Enforcing standards of conduct through well-publicized disciplinary guidelines. We ensure that the standards and consequences for HIPAA violations are consistently enforced by ensuring our employees are aware of these standards through guidelines and training.

GoFax is committed to maintaining HIPAA compliance by following these 7 fundamental elements.

HIPAA Practices GoFax Compliance Measures
1. Implementing written policies, procedures and standards of conduct We have several policies and procedures that promote our commitment to ensuring HIPAA compliance is maintained throughout the entire organisation. These policies, procedures and standards of conduct ensure our employees understand how to carry out their job functions correctly to ensure compliance. These are reviewed periodically.
2. Designating a compliance officer and compliance committee We have a designated HIPAA compliance co-ordinator and compliance committee.
3. Conducting effective training and education All employees receive mandatory and ongoing training on HIPAA compliance.
4. Developing effective lines of communication We have a positive internal line of communication for employees when reporting internally and ensure that all reports are handled correctly Conducting the appropriate follow-up measures as per the HIPAA guidelines and rules.
5. Conducting internal monitoring and auditing Our HIPAA compliance co-ordinator and committee conduct regular audits and assessments to ensure the effectiveness of the HIPAA education and provide regular risk assessments of potential privacy issues. We conduct internal compliance audits to ensure organisational procedures, structure and technical infrastructure are optimized to protect customer data.
6. Enforcing standards of conduct through well-publicized disciplinary guidelines We ensure that the standards and consequences for HIPAA violations are consistently enforced by ensuring our employees are aware of these standards through guidelines and training.
7. Responding promptly to detect offenses and undertaking corrective action We ensure to respond promptly to any report of HIPAA offences or any violation and take corrective action immediately.

HIPAA FAQs

Yes. HIPAA compliant online fax providers cater specifically for the transmission of protected health information of patients in healthcare. If your current online fax provider is not HIPAA compliant, your sensitive data may be at risk of a breach.

Although not compulsory in Australia, online fax service providers that are not HIPAA compliant are more at risk of data breaches.

If you’re a healthcare professional or provider in the health sector, it’s vital to use a HIPAA compliant online fax service to ensure security when transmitting and storing protected health information and other patient data.

Any healthcare organisation that transmits protected health information and other sensitive patient data should be using a HIPAA compliant online fax provider.

These organisations include, but are not limited to:

  • Hospitals
  • Dentists
  • General practitioners
  • Medical specialists
  • Optometrists
  • Physical therapists

Secure communications solutions for the healthcare industry, made easy