Our email is not HIPAA compliant. No, I can not email your records to you. I can not fax if you don’t have a secure fax aka only you have access to it. I can snail mail. Or you can pick it up in person. Bring your ID.
Given that fax machines should have gone the way of the dinosaur, luckily there are online services that will let you “send” a fax from an electronic document, which is how I got around the fax requirement for a lot of things.
Five Best Fax Services lists a few of them, I don’t remember what I’ve used in the past.
for a fax to be misdirected and be a problem is only an issue if the misdirected number is a fax machine. then that fax recipient would have to have ill intent.
an email passes through a web of electronic pathways and can be intentionally captured at any point even if not misdirected.
fax is also good in that it make rapid remote acceptance of a signature that is legally binding.
Can you expand on this a bit? Because it doesn’t make any sense.
There was legislation a few years back that allowed faxed signatures to be considered as legally binding for things like contracts. AFAIK, there is no similar provision for email – emailing someone that you’re ok with the terms of an agreement does not legally bind you to that agreement.
What legislation are you referring to? That’s not really contracts work.
I don’t recall, just that parties could each sign the signature page of a contract and fax it to each other, and the contract would then be enforceable.
Thinking about it, I believe this is more than a few years ago – maybe 10 or 15 or even more.
The most recent legislation I know of actually made electronic signatures valid in many different forms. The issue with using e-mail exclusively for signatures/contractual agreements is the potential that they could be faked. Under the hood, e-mails are really just text files, after all.
An e-mail of a scanned document would generally have the same legal enforcement as a fax, though. Or even something using a digital signature, if that signature met certain requirements.
You can, however, PGP encrypt the content of the email, which isn’t exactly rocket science.
Or even set up a secure email server, where customers would have to sign in and access their mail from your server.
There are a number of ways to make email at least as “secure” as the fax machine sitting in the open room by the photocopier.
I worked for Medicare, and am convinced that at least half of the real reason for the “no emails” policy is that the federal government has hardly reached the first quarter of the 20th century.
Still wouldn’t be secure until it hit your secure server.
Sending something sensitive over email is like sending something private via a postcard back in the snail mail days. It will go through many hands before your recipient gets it, and any one of those could take a look and see what you’re sending. Your secure server is like sticking a padlock on the mailbox. Too late, it’s already been through most of the journey out in the open.
Yes, encrypting email is an option. No, the idjits at the govt office aren’t going to know how to do that, even if they did know they probably wouldn’t be allowed because bureaucracy, and even if they did know and were allowed, they still wouldn’t because they don’t care.
Except that some very large insurance companies have gone that route with their corporate partners/vendors, and have determined that it’s HIPAA-compliant. I’ve worked with several of them in my previous job, and yes, we dealt with PHI.
It’s not necessarily that they don’t care. It could well be because logical conversation with the higher-ups at a government office is like explaining physics to a pig. Only less likely to get any results.
Also - as someone who works in a government office - there’s a huge catch-22 on any technical upgrades.
If we don’t have the latest technology (or close to it), people get upset because we’re not “with the times” and it’s hard to do business with us.
If we do have the latest technology (or close to it), people accuse us of WASTING THEIR TAXPAYER MONEY ON THE LATEST GADGETS.
Add to that the fact that every single purchase has to be approved and authorized and vetted by bosses, committees, and (sometimes) elected officials, then when it’s actually in the office a whole lot of people of varying intelligence levels have to be trained on how to use it and … well, the point is, any change takes a long ass time.
Good for you, I guess.
It’s not bad policy for IRS to warn folks about insecurity of even faxes these days … or a copier for that matter. They have storage capacity now, and if someone decides they want to gather intel by snatching relevant wafer (I’m not a geek), they can get loads of juicy information depending on the device.
For what it’s worth, when signing up for a White House tour a couple of years ago we had to provide the government with info so the Secret Service could conduct their background checks. They asked for names, SSNs, etc. It had to be sent by e-mail.
Which seems strange when you think about it, because the 75-year-old patient almost certainly can’t send and receive faxes in her home.
And if they can, it will quite likely be via a mail-to-fax service.
Nothing is frikking secure but there are legal consequences for leaking social security stuff and the law assumes that mail and fax are secure even though its not much easier to hack someone’s email than it is to steal their physical mail. So you can’t get in trouble if someone steals mail or faxes but you can get in trouble if someone hacks an email. I don’t really undetrstand why they don’t add email to the list along with faxes but wtf do I know.
True, but that’s not the security we’re talking about.
Faxes are insecure because I can send a fax which claims to come from you and nobody has a real way to verify that. Caller ID can be spoofed, signatures can be either not required or copied off of a scanned document, and… that’s it. That’s seriously it. There is no way to cryptographically sign a fax, or at least no way anyone else knows how to interpret.
And this is obviously the kind of security we’re talking about. The threat model of “someone sent a bogus fax in my name” is just blazingly, obviously more important than anything else in this context.
Wrong.