|
POLICY:
Employees of Columbia University Medical Center will protect the confidentiality
of Protected Health Information (PHI) when transmitting or receiving it by
facsimile (fax).
PURPOSE :
Fax machines provide a useful mechanism for rapidly and cost-effectively conveying
information and documents within the organization and to outside entities with whom
Columbia University Medical Center does business. Nonetheless, the transmission of
PHI by fax poses significant privacy risks associated with misdirected faxes and
the delivery to or receipt of faxes in unsecured locations. The purpose of this
policy is to describe the procedures that should be used to help to preserve the
privacy and security of PHI transmitted to or from Columbia University Medical
Center by fax.
PROCEDURES:
- Sending Faxes.
Employees will transmit PHI by fax only when the transmission is time-sensitive
and delivery by regular mail will not meet the reasonable needs of the sender or
recipient.
Employees will take reasonable steps to ensure that a fax transmission is sent
to and received by the intended recipient. When the fax transmission includes PHI,
"reasonable steps" include, but are not limited to, the following:
- Employees will confirm with the intended recipient that the receiving fax
machine is located in a secure area or that the intended recipient is waiting
by the fax machine to receive the transmission.
- Fax machines will be pre-programmed with the fax numbers of those recipients
to whom PHI is frequently sent so errors associated with misdialing can be
minimized or avoided. Pre-programmed fax numbers will be tested frequently
to confirm they are still valid.
- When a fax number is entered manually (because it is not one of the
pre-programmed numbers) the employee entering the number will visually check
the recipient's fax number on the fax machine prior to starting the
transmission.
- Employees will use Columbia University Medical Center's standard fax
cover sheet that contains the following PHI statement:
This facsimile is intended only for the use of the named addressee and
may contain information that is confidential or privileged. If you are not the
intended recipient, or you are not the employee responsible for delivering the
facsimile for the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this facsimile is strictly prohibited.
If you have received this facsimile in error, please notify the sender
immediately.
- The name, business affiliation, telephone number and fax number of the
intended recipient as well as the number of pages contained in the transmission
will also appear on the cover sheet.
- Fax confirmation sheets will be checked immediately or as soon as possible
after the fax has been transmitted, to confirm the material was faxed to the
intended fax number. If the intended recipient notifies the sender that the fax
was not received, the sender will use best efforts to determine whether the fax
was inadvertently transmitted to another fax number by checking the fax
confirmation sheet and/or the fax machine's internal logging system.
- If an employee becomes aware that a fax was sent to the wrong fax number,
the employee will immediately attempt to contact the recipient by fax or
telephone and request that the faxed documents, and any copies of them, be
immediately returned to Columbia University Medical Center or destroyed. The
employee's supervisor or the HIPAA Privacy Officer will also be notified of
the mis-directed fax.
- Those recipients who regularly receive PHI via fax will be periodically
reminded to notify Columbia University Medical Center of any change to the
recipient's fax number.
- Fax confirmation sheets will be attached to and maintained with all faxed
materials.
- Sensitive PHI (such as HIV/AIDS results or status or substance abuse and
mental health treatment records) should never be sent by fax.
- When faxing PHI, employees will comply with all other Columbia University
Medical Center privacy policies.
- Receiving Faxes
Employees who are intended recipients of faxes that contain PHI will take
reasonable steps to minimize the possibility those faxes are viewed or received
by someone else. These "reasonable steps" include, but are not limited to, the
following:
- Fax machines that receive faxes that include PHI will be located in Secure
Areas. If an employee receives a fax containing PHI on a fax machine that is
not in a Secure Area, the recipient of the fax will promptly advise the sender
that the receiving fax machine should not be used for the transmission of such
information.
- Fax machines will be checked on a regular basis to minimize the amount of
time incoming faxes that contain PHI are left on the machines. Employees who
monitor the fax machines, or the employee who sees such a fax on the machine,
will promptly remove incoming faxes and deliver them to the proper person.
- If an employee receives a fax addressed to someone other than the employee
and the person to whom the fax is addressed is someone at Columbia University
Medical Center, the employee will promptly notify the individual to whom the
fax was addressed and deliver or make arrangements to deliver the mis-directed
fax as directed by the intended recipient.
- If an employee receives a fax addressed to someone other than the employee
and the person to whom the fax is addressed is NOT affiliated with Columbia
University Medical Center, the employee will promptly notify the sender, and
destroy or return the faxed material as directed by the sender.
- Employees who routinely receive faxes containing PHI from other individuals
or organizations (either internal or external sources) will promptly advise
those regular senders of any changes to the employee's fax number.
- Employees who receive faxes that contain Sensitive PHI (such as HIV/AIDS
results or status or substance abuse and mental health treatment records) will
promptly advise the senders of such faxes that it is the policy of Columbia
University Medical Center not to accept transmissions of Sensitive PHI by fax.
- Enforcement
Employees who do not comply with this policy will be subject to disciplinary
action. Depending on the facts and circumstances of each case, and in accordance
with any applicable collective bargaining agreements, Columbia University Medical
Center may reprimand, suspend, dismiss or refer for criminal prosecution any employee
who fails to comply with this policy.
- Definitions
Protected Health Information (PHI) means information that
relates to the past, present or future physical or mental health or condition of an
individual, the provision of health care to an individual or the past, present or
future payment for the provision of health care to an individual and identifies or
could reasonably be used to identify the individual.
Sensitive Protected Health Information (Sensitive PHI)
means Protected Health Information that pertains to (i) an individual's HIV status
or treatment of an individual for an HIV-related illness or AIDS, (ii) an
individual's substance abuse condition or the treatment of an individual for a
substance abuse disorder or (iii) an individual's mental health condition or
treatment of an individual for mental illness.
Secure Area means a location that is not accessible to
the general public.
RESPONSIBILITY:
Departments, HIPAA Privacy Officer
| ISSUED: |
December 2003 |
| REVIEWED: |
October 2007 |
|
