HIPAA Fax Privacy

Our office Electronic Health Record system generates an automatic fax cover sheet with the proper “important” notice and “confidential notice.” However, it automatically puts patients name and date of birth on the cover sheet. Is that OK?

That’s a really interesting question and, unfortunately, the answer is a little complicated. It depends on whether or not you’re working at the place that provides the patient’s health care. HIPAA fax rules require that you keep Protected Health Information (PHI) protected with a “Confidential” cover letter. Any PHI on the cover letter itself would obviously be counterproductive. PHI is defined as any information that relates to a patient’s current, past, or future health problems, services, or needs.

Having identifying information such as a patient’s name, address, contact information, or date of birth on the cover page is not in itself a problem, because it isn’t PHI. However, if that identifying information is on a cover page that also shares your hospital or clinic’s logo or information, then you’ve linked the patient with your establishment, which informs the fax’s recipient that the patient is receiving care from you. That’s a problem. As the U.S. Department of Health and Services put it, “Identifying information alone, such as personal names, residential addresses, or phone numbers, would not necessarily be designated as PHI… If such information was listed with health condition, health care provision or payment data, such as an indication that the individual was treated at a certain clinic, then this information would be PHI.”

So to it sum up, the patient’s information that is being automatically generated is not a problem in and of itself. However, if other information on the cover page links the patient with a health care provider or payment plan, it would be in violation of HIPAA’s PHI confidentiality laws. To be safe, you might want to use a different cover page than the one provided by the EHR system.