Faxing and HIPAA Privacy Laws

I need to inform physicians of certain tests that may be available to their patient. My cover fax sheet has a confidentiality notice on the front. I have been putting the patient’s name on the cover sheet and their diagnosis, which the doctor already has, at times. These are sent directly to the physician. Is this allowable? Should I have a cover sheet and then a second sheet with the information on it? Are there privacy laws regarding this or is it just understood?


It is crucial that medical officers comply with HIPAA privacy laws, and there are even special HIPAA-compliant medical fax cover sheets at sites such as FaxCoverSheets.org for this purpose. However, the law does not address specific means of security so much as it expects reasonable precautions in making sure private information is not spread inappropriately.

The Health Insurance Portability and Accountability Act of 1996 covers various things including patient privacy and security of medical records. But HIPAA also acknowledges that information much be shared among medical service providers, including via modern means such as fax and email. Since faxes, unlike email, can’t be encrypted, the main issues are usually securing the fax machine (making sure it’s not in a public area) and including language in the transmission alerting the recipient to its confidentiality.

There is nothing in HIPAA that specifically says the confidential information has to be on a separate page from the cover sheet. However, if we examine the logic of HIPAA cover sheets, we can fairly confidently say that putting patient information on the cover sheet defeats the purpose of the cover sheet. Large universities and hospitals never do this, and it’s probably not a good idea for you to do it either.

To break it down for you: this cover sheet is meant to stop the wrong recipient from reading the patient’s information. It isn’t a protection that comes into play once the fax is in the correct recipient’s hands. Ideally, if your fax were to go astray, someone would read the confidentiality warning and destroy the fax sheets that follow unseen. If the information is on the cover sheet itself, that’s not a possibility.

Here is some typical language found on HIPAA-compliant fax cover sheets:
IF YOU RECEIVE THIS FAX IN ERROR, PLEASE CONTACT THE SENDER IMMEDIATELY AND THEN DESTROY THE FAXED MATERIALS.
CONFIDENTIALITY NOTICE:
The information contained in this facsimile message is privileged and confidential information intended for the use of the individual or entity named above. Health Care Information is personal and sensitive and should only be read by authorized individuals. Failure to maintain confidentiality is subject to penalties under state and federal law.

With all that being said, I’m not a lawyer, just a fax guy, so you might want to also check with your local physicians’ association or the medical board of your state.

Do you have a question about faxing? Send me your fax question.