Who's got the “fax hot potato”?
There's a point at which a fax is neither here, nor there.
Simply by nature of it
being a fax means it’s being delivered and for a tiny fraction of time, it’s
momentarily in the ethereal space somewhere at a point after it was sent -- and
before it was received.
At the surface it may
seem trivial, but the definition of "here" versus "there"
matters greatly since HIPAA has a delivery standard for vendors about sending
Patient Health Information (PHI) electronically - cloud based fax (CBF) vendors
included.
Plainly, and in terms of fax delivery, the definition gives the distinction of
transient versus persistent data storage. Transient cloud fax delivery
providers can be exempt from becoming a HIPAA Business Associate (BA), while
those that temporarily store the fax, must. The devil is in the details and fax
vendors must declare which it is - a transient conduit or a delivery method
where PHI faxes are stored - even if for fractions of time.
If they get it wrong
significant financial penalties are at risk for wrongful classifications.
Are all cloud fax
providers conduits or much more? Which need to sign a Business Associate
Agreement (BAA) and which do not?
Take fresh look at the “The HIPAA Conduit Exception Rule
and Transmission of PHI" in an article from the HIPAA Journal
online - and decide for yourself. -mm