Fax800® implements technologies and policies to assist customers who are involved with Personal Health Information (PHI) and are covered by The Health Insurance Portability and Accountability Act of 1996 (HIPAA). Although we're not covered by the Department of Health and Human Services requirements under HIPAA, we recognize that our customers may require compliance in order to make use of our service. This information is intended to assist customers and prospective customers assess how our fax technology can allow them to use our services while maintaining HIPAA compliance.
There are four categories of security requirements under HIPAA:
It's our policy to access a customer's fax documents for the purposes of maintenance, customer service, repair, and backup, or in response to legal inquiries or warrants that legally force the disclosure of the messages or documents from courts or government agencies.
II. Physical Safeguards - Protect data from fire, other natural and environmental hazards, and intrusion.
We use an industry standard fire safety system, off-site backups, and an industry standard security system to protect Personal Health Information from physical vulnerabilities.
III. Technical Security Services - Protect information and control individual access to information.
Under section 164.312(e)(1) (Transmission Security) both Integrity Controls and Encryption are technology neutral, implementation dependant safeguards. For each of the three methods of accessing voice messages and fax documents, we have attempted to create a system of safeguards as specified by HIPAA.
- Telephone access to fax documents requires a PIN number to limit access to authorized parties. Switched telephone networks do not require encryption under HIPAA.
- E-mail delivery of fax documents can be configured for PKWARE ZIP format with password/encryption. We have selected this as our standard to attempt to comply with the safeguards in a manner which remains as compatible with as many platforms and operating systems as possible. We also implement Secure SMTP over TLS (RFC 2487) to attempt to transmit email messages using encryption, if the customer's email server supports TLS.
- World Wide Web access to fax documents requires a PIN or password, and is secured by the industry standard SSL 3.0 and TLS 1.1 protocols (RFC 3546) with strong encryption algorithms including Advanced Encryption Standard (AES/Rijndael). Our web-based control panel's identity is verified by the SSL certificate used to implement the SSL protocol. Our certificate is signed by the Equifax Secure Certificate Authority.
IV. Technical Security Mechanisms - Guard against unauthorized access to data over communications network.
Our data storage systems implement industry standard fault tolerant RAID-5 to prevent data loss due to storage media failure. Our database and storage systems are protected by battery backup technology to attempt to mitigate potential data loss due to power failures. Our servers use FreeBSD UNIX to prevent unauthorized access and data security compromise.
We make every effort to provide tools and a secure environment in which Personal Health Information can be stored and transmitted. It is the customer's responsibility according to the HIPAA regulations to examine the technology and determine how to use it in a compliant manner.
We make every effort to provide tools and a secure environment in which Personal Health Information can be stored and transmitted. It is the customer's responsibility according to the HIPAA regulations to examine the technology and determine how to use it in a compliant manner.
