Solgenia Facsys Fax and HIPAA Compliance
introduction Healthcare organizations are in the midst of a revolutionary turnaround in regards to information security and privacy. Whereas before the typical healthcare environment was open and unrestrictive, today s healthcare facilities are moving to an environement of control, confidentiality, integrity and accountability. Healthcare networks are now being used to transmit vital prescription, billing and insurance information, making it readily accessible to those who need it, regardless of their location. Healthcare providers must now face the challenge of securing this information and maintaining strict levels of patient confidentiality while still allowing easy access to authorized users. WHAt is HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) consists of several parts, including a section called Administrative Simplification that was designed to reduce administrative costs by standardizing electronic transactions and code sets. Administrative Simplification also contains requirements to protect the privacy and security of Protected Health Information (PHI). The regulation defines PHI as any information relating to the health of an individual, the healthcare provided to an individual, or payment for the healthcare provided to that individual. HIPAA affects healthcare organizations in two ways: first, by strongly encouraging the conversion of paper-based healthcare information systems to electronic systems, and second, by mandating that the design and implementation of the electronic systems guarantee the privacy and security of patient information. Under the security standards of HIPAA, health insurers, certain healthcare providers and clearinghouses must establish procedures and mechanisms to protect the confidentiality, integrity and availability of electronic health information. Health plans, healthcare clearinghouses and healthcare providers (known as covered entities ) who engage in electronic transactions, must comply. To a lesser degree, employers and business associates of covered entities are also affected. The rule requires covered entities to implement administrative, physical and technical safeguards to protect electronic health information in their care. To achieve HIPAA compliance, healthcare organizations must implement physical, technical and administrative safeguards that ensure the integrity and security of healthcare information. How do healthcare administrators achieve this? First they must use a secure means of recording patient information; then use a secure means of transmitting and filing those documents electronically and finally they must make sure that any software that deals with PHI provides mechanisms to be in compliance with HIPAA regulations. 2
HIPAA and Fax Faxing and Healthcare Quality The quality of healthcare is enhanced when patient information is readily available to healthcare providers. As a result, fax machines and fax software have become commonplace in healthcare organizations. Physicians who need to share sensitive information about a patient use fax machines, for example, when regular mail delivery proves too slow. Similarly, hospital transcription departments use fax software to deliver a copy of a dictated report to the physician s office as soon as the report is transcribed. Although fax equipment and software can enhance the quality of healthcare by facilitating rapid transmission of clinical information, this same equipment and software opens up the possibility that information will be misdirected or intercepted by individuals to whom access is not intended or authorized. In recent years, there have been numerous reports describing events where patient health records were inadvertently faxed to a newspaper office, for example, rather than the intended recipient. Faxing and Report Delivery Most healthcare organizations operate within a network of clinics and other auxiliary systems as part of the patientcare process. This approach often requires support for multiple platforms, which complicates the workflow process and the IT infrastructure. Today s healthcare organizations are pressed to continually improve services that impact patients and their PHI, while attempting to comply with HIPAA regulations. Real-time delivery of printed reports to all parties involved in patient care plays an important role with these initiatives. The faxed report has become a standard in radiology report delivery, with most transcription programs set up to auto fax reports to referring physician offices, following approval by the radiologist. While faxing is a HIPAA-compliant technology, there are inherent issues with the manual fax machine when faxing reports and verifying their delivery to the correct medical office. How does the radiology group know that faxes were picked up by the appropriate person and not left in a tray (which may be located in an unsecured area) for hours at a time? How do you handle the referring office that consistently loses reports and keeps requesting new copies? How does the radiology group prove it had previously delivered report copies and that they were retrieved by an authorized person at the other end? And what happens when reports have been sent to a wrong number? 3
FACSys and HIPAA COMPLIANCe While no software can claim to be HIPAA compliant because the scope of compliancy falls far beyond the inherent functionality of the software, Facsys has features, which assist covered entities of employers and business associates to be in compliance with HIPAA regulations. These include: 1. A Facsys fax server solution implements privacy enhancing features and procedures to protect the confidentiality and integrity of transmitted information. Only authenticated users can login to the system to retrieve documents. 2. Facsys enables a paperless environment for both transmitting and receiving information, reducing the vulnerability of the data. Healthcare organizations can be confident that information they need is transmitted safely and efficiently, directly to a fax number they specify, without the virus threat that traditional email creates. 3. your documents are safe and secure beyond traditional fax methods; faxes are no longer left unattended in public areas, available for unauthorized or unintended recipients. 4. Facsys automates the delivery, receipt and tracking of personal health information such as admittance documentation, healthcare claims, payment and remittance forms, claim status, lab reports, prescriptions and more. Every fax transmission, in and out, is logged by the system. 5. Facsys can use e-mail gateways, allowing it to send and receive information more securely using your existing e-mail system; you can leverage the technology you already have in place to comply with HIPAA requirements. 6. NT authentication restriction: provides for greater security for Windows NT networks. This option will permit only Windows NT authenticated users to access the system. 7. Routing to users directories on the fax server file system ensures only the correct people are privy to PHI of patients. 8. Notifications: Receive notifications of document transmission and receipt. When medical IT departments properly implement Facsys security features, along with having proper Administrative guidelines, the covered entities will be able meet the requirements to become HIPAA compliant. 9. Authentication and Security: To deny unauthorized access to the fax server, Facsys can be configured to authenticate all messages sent from the faxserver by verifying that the sender has a Facsys user profile. Facsys also employs its own set of access rights, privileges and restrictions, which are assigned on a per-user basis. Facsys can also integrate within your Active Directory environment, allowing for a single point of administration. 10. Block number : Avoid sending information to unauthorized and unsecured fax numbers. 11. Fax archival: Facsys records all inbound and outbound fax transactions in a database file. It also automatically logs all transmissions and maintains a full history of the entire transaction, allowing you to easily retrieve and authenticate exactly what was sent or received. 12. Privacy, Security and Reliability not only means compliance for your organization, but also peace of mind. Protected Health Information (PHI) and other business records that are highly sensitive and critical to your organization are securely and reliably managed with Facsys technology. 4
SECURIty MEASUreS For FAxeS Examples of recommendations: 1. establish fax policies and procedures based on federal and state law and regulation and consultation with legal counsel. 2. Include in your organization s Notice of Information Practices uses and disclosures of individually identifiable health information made via fax machine or software where appropriate (see AHIMA s Practice Brief on Notice of Information Practices, May 2001). 3. obtain written authorization for any use or disclosure of individually identifiable health information made via fax machine or software when not otherwise authorized by the individual s consent to treatment, payment, and healthcare operations, or federal or state law or regulation. 4. take reasonable steps to ensure the fax transmission is sent to the appropriate destination. Preprogram and test destination numbers whenever possible to eliminate errors in transmission from misdialing. Periodically remind those who are frequent recipients of individually identifiable health information to notify you if their fax number is to change. Train staff to double check the recipient s fax number before pressing the send key. 5. Attach a confidentiality statement on the cover page when transmitting individually identifiable health information. 6. Contact the receiver and ask that the material be returned or destroyed if the sender becomes aware that a fax was misdirected. 7. Place fax machines in secure areas. 8. Implement a Facsys fax server that provides inherent functionality in support of HIPAA compliance. During a recent Request for Proposal from a major medical institution, the following list of compliance questions were asked. Facsys compliance with these requests is noted below: HIPAA Compliance Feature Facsys meets HIPAA requirements for sending PHI MEETS POLICY FOR SENDING PHI Limits information disclosure to the minimum necessary Includes data and time of transaction Indicates the number of pages transmitted Includes a confidentiality notice Provides reasonable validation of fax machine destination site security Provides alert for recipient of transmission Validates successful transmission using logging functions Requests immediate notification if problems occur Requires use of ID/password and data encryption Procedures and software for auto faxing must be approved by IS Facsys Compliance. Access is controlled by network security., on the fax header and optional cover page., and page x of n, if the user includes this on the cover page. No. Facsys cannot control the security of the target site; however it does record the target CSI.. Received faxes can be routed in many ways, provided that telephony technology is in place. Facsys can provide receipt notification.. Access determined by network security. Deployment can be managed by administrator. Outbound transmissions can be held for review and release. 5
HIPAA Compliance Feature Facsys Compliance Security Features Secure transmission available Does not require server to remain logged in to operate Uses NT level security for access Requires use of ID and Password Provides Domain Security integration for fax integrity and privacy Solution verifies your authorization level to send/receive faxes Only intended recipient can view a received fax Create customized cover pages that suit SHS and HIPAA needs Creation of rules for restrictions on fax dissemination. Facsys transmits a TIF image over the PSTN, point-to-point.. Facsys operates as an NT Service.. NT Domain/ADSI for Windows Server., for client access, with automated routing. Manual routing can be assigned to specific users. Restrictions to view only the Cover Page for routing purposes can be imposed. auditing FeatureS Auditing features are available Provides adequate logging mechanism Logging mechanism doesn t bloat or degrade the system Auditing reports on who does what, when and to what number Auditing reports identify specific users Keep a log of all faxes sent and received Monitor fax usage for cost recovery, billing & tracking purposes Provides built-in reporting tools Provides customizable reporting tools Provides fast response time with fax event alerts Creates fax status notifications, and Crystal Reports 9.0 compatibility for additional report template creation., with Crystal Reports 6
HIPAA Compliance Feature Facsys Compliance DESKTOP HIGHLIGHTS The product is preferably clientless Uses a minimum level of software/drivers on workstation to support, Client and Web Agent deployment is optional. Facsys SDK can be used to programmatically submit fax jobs. If needed, clients supported on Windows 98, NT, 2000, XP, 2003, 2008, Windows 7 Fax solution should be platform generic Facsys requires a Windows server Fax solution should allow interface from any OS or application Send and receive faxes from Email or Fax server client software Access and manage faxes from Windows explorer or browser Send faxes directly from any Windows application Annotates faxes directly to PC screen Automatically print sent/received fax to any networked printer, web user interface.. Print-to-Fax or Fax-to-email options from client., included with fax viewer, optionally invoked. WEB BASED FEATURES Web-based solution Ability to use Web browser to fax Provides remote fax access via Web Web Agent for user access. EMAIL FEATURES Allows fax-to-email and email-to-fax Compatible with other server based SMTPbased messaging systems Compatible with other email packages (Outlook, Exchange, etc.) Can route inbound faxes to Email and printers Functionality/integration to e-mail and network applications, Exchange, GroupWise, SMTP, Lotus Notes, with email gateways, with email gateways 7
FACSys Audit TrAIL The Facsys audit trail feature enables managers and administrators to track the lifecycle of all fax transmissions and receipts. HIPAA Compliance Feature ADMINISTRATION FEATURES Centralized administration Facsys Compliance, for single or multiple servers. Additionally, managers have access to tools, which allow them to better track and manage employee productivity and accountability. Benefits Establish accountability by tracking the handling of messages Generate productivity metrics based on the duration of handling and related processes Track the disposition of messages Meet SOX and HIPAA compliance Identify suspicious data access activity Diagnose the system in cases where technical support is required Viewing the Audit Trail Audit Trail data is accessible via: the Facsys Desktop Client generated reports in Facsys Administrator the SQL Database Flexible deployment with basic print-to-fax Load balancing between multiple servers or locations Multiple inbound fax routing options Centralized configuration, monitoring, and control of fax servers Create and manage groups, users, coversheets, signatures, billing codes, etc. Audit TrAIL Event Types, with Exchange and server-to-server routing. Facsys records information for both inbound and outbound faxes, detailed as follows: INBOUND OUTBOUND INITIAL Receiving from Fax Board Image Rendering EXECUTION Image Rendering Route Allocation Sent Fax Message Failed/Resending Fax Message NOTIFICATIONS Fax Receipt Email Notification Status Email Notification Fax Auto Print Notification Status Print Notification Other Automated Notifications Other Automated Status Notifications ROUTING Automated Routing Process Optical Character Recognition (OCR) Optical Character Recognition (OCR) USER Delete Fax Message Delete Fax Message Permanently Delete Fax Message Open Item Assign User-Defined Fields Move to Folder Manual Route Permanently Delete Fax Message Open Item Assign User-Defined Fields Change Priority Move to Folder Resending Fax Message In cases where an outbound message has multiple recipients, the recipient-specific activities are logged (for sending and resending of failed messages) and are tracked separately for each recipient. 8
For More Information Please contact your Solgenia representative or Authorized Reseller. Solgenia, USA, Inc. 991 US Highway 22, Suite 200 Bridgewater, NJ 08807 USA Solgenia Canada, Inc. 905-5915 Airport Road Mississauga, ON L4V 1T1 CANADA Toll-Free: +1 866 436 3278 Fax: +1 289 247 2810 www.solgenia.com Bridge the gap between personal and professional digital experience. Solgenia is a leading Cloud enabling company that assists organizations in accelerating business benefits to increase productivity, reduce costs, and deliver more value to their respective customers. As a Cloud enabler, Solgenia is specialized in providing Platform Infrastructure, Business and Collaboration Apps for the Cloud Ecosystem. Solgenia engages with Cloud Application Providers, Cloud Service Providers, Cloud Brokers, and Cloud Customers/ Users to establish and enrich their business Cloud experience. The company has a direct presence in USA, Canada, Italy and Mexico and maintains a reseller network of more than 200 partners all over the world. Solgenia has a total revenue of USD$60 million, employs approximately 700 employees, and serves more than 5,000 customers. 2013 Solgenia, USA, Inc. All rights reserved. Solgenia, Facsys, Freedoc for Facsys, emfast and Fax Enable Your World are registered and licensed trademarks of Solgenia, USA, Inc. Solgenia Analysis, ProJ, and Powua are registered trademarks of Solgenia SpA. All other registered and unregistered Trademarks, Service Marks and Logos herein are the sole property of their respective owners. Portions include technology used under license from Catch Curve, Inc. (United States Patents No. 4,994,926, No. 5,291,302, No. 5,459,584, No. 6,643,034, No. 6,785,021, No. 7,202,978, and Canadian Patents No. 1329352 and No. 2101327) and Dynamic Depth, Inc. (United States Patent Number 5,461,488) and are copyrighted. The Trademarks, Service Marks and Logos used and displayed in this communication are registered and unregistered Trademarks of Solgenia and others. Nothing in this document should be construed as granting, by implication, estoppel or otherwise, any license or right to use any Trademark displayed in this document, without the prior written consent from the Trademark owner. Solgenia aggressively enforces its intellectual property rights to the fullest extent of the law. The name of Solgenia, the Solgenia Logo or the other Solgenia formatives may not be used in any way, including in advertising or publicity pertaining to distribution of materials, without prior, written permission from Solgenia. Solgenia prohibits use of the Solgenia Logo as part of a link to or from any site unless establishment of such a link is approved in advance by Solgenia in writing. Fair use of Solgenia Trademarks requires proper acknowledgement. Other product and company names mentioned may be the Trademarks of their respective owners.