Security & Privacy of Faxed, Printed and Copied Documents (107.013)

Security & Privacy of Faxed, Printed and Copied Documents (107.013) - Policies, Administrative, UWMF, UWMF-wide, HIPAA/Privacy


University of Wisconsin Medical Foundation

Policy Name: Security & Privacy of Faxed,
Printed and Copied Documents
Policy Number: Privacy 006

__X__ New ____ Revised
If Revised, Supersedes Policy Dated: _________
Effective Date: April 14, 2003
Approved By (Name): Peter Christman Title: Executive Vice President

I. Purpose
To establish guidelines for ensuring the privacy of a patient’s Protected Health Information
(“PHI”) printed and/or transmitted with fax machines, printers, copiers, copy services and related
office equipment, and PHI printed and/or received at Document printers, facsimile machines
(faxes), copiers, copy pickup/drop-off locations, and waste paper disposal containers, in
accordance with federal and state statute and regulations.

II. Policy
UWMF handles patient PHI which is copied, printed and/or transmitted via facsimile in a
protected and secure manner. Faxing of PHI is limited, to the extent reasonably possible and in a
manner which does not impede the efficient delivery of patient care and treatment, to urgent
patient care and treatment purposes. Routine requests for protected PHI are sent via secure
courier, U.S. Mail, or other reliable delivery service.

III. Procedures for Outgoing Transmissions & Equipment Security

A. Leaving PHI As Answering Machine Message. A written “Telecommunications
Permission” form is obtained from the patient for any disclosure of patient information
(eg., tests results, follow up communications) made via the telephone and left on an
answering machine. Please see the UWMF “Telecommunications” policy and
“Telecommunications Permission” form.

B. Faxing PHI – Outgoing Transmissions. Faxing of patient medical records between
UW Health affiliated entities and other Covered Entities (e.g., healthcare providers and
insurance companies or other payors) is allowed to promote the continuity of quality care
in urgent/acute situations and/or in a manner which is appropriate to expedite exchange
of critical information necessary to deliver efficiently health care and treatment to
UWMF patients.

1. Ensuring Correct Destination of Faxed Materials. Staff members faxing patient
information take reasonable steps to ensure that the fax transmission is sent to the
appropriate destination. When taking a request for information to be faxed, verify the
identity of the individual making the request and obtain the following information:

i. Name / Date of Birth of Patient / Medical Record Number (if possible);

Security & Privacy of Faxed, Printed and Copied Documents

Page 2

ii. Information Requested is limited to that which is minimally necessary to meet
needs of requestor, unless the individual requesting the information is a physician
in a treatment relationship with the patient;

iii. Reason for Request (i.e., continued care);

iv. Fax Number of Requesting Party; and

v. Phone Number of Requesting Party for purposes of verification of identity, if the
individual is not otherwise known to you, and for purposes of follow up
questions, as may be necessary.

2. Verification of Unfamiliar Recipient. When requests are made by parties that are
unfamiliar, staff verifies the requesting party’s identity by contacting the party via the
contact phone number and determining legitimacy through the identification provided
by the party at the contact number. Please see UWMF “Verification” Policy.

3. Double Check Recipient Number. Staff members always double check the
recipient’s fax number before pressing the “send” key. When using pre-programmed
receiving fax numbers, the numbers are tested immediately after the first
programming to determine accuracy.

4. Fax Transmission Cover Page. A UWMF “Fax Transmission Cover Page” that
includes a confidentiality statement is always used as a cover page when faxing
patient information. Please see the UWMF “Fax Transmission Cover Page” forms.
The cover page is filled out completely with the name and department of the sender
clearly, and the description boxes are checked as necessary to indicate the general
type of the information to be sent.

5. Alerting Phone Call. Whenever possible, documents containing PHI are
accompanied by a separate phone call to the receiver, alerting the receiving person of
their arrival.

6. Routing. Information and documents that have been faxed “out” are gathered
immediately after faxing and routed to the appropriate location or disposed of in a
secure manner in accordance with the UWMF “Disposal of PHI Policy.”

7. Update Fax Numbers. Parties receiving faxes from UWMF on a regular or routine
basis are reminded periodically to notify the UWMF if their fax numbers change.

Security & Privacy of Faxed, Printed and Copied Documents

Page 3
C. PHI Faxed - Incoming Transmissions – Printer Output

1. Removing Incoming Transmissions and/or Output. Staff should remove output
from printers, FAX machines and copiers as soon as possible to avoid unauthorized
persons from gaining access to the materials.

2. Verification. Staff should verify accuracy of routing and total number of pages as
identified on the fax cover sheet.

3. Transmission Incomplete / Errors / Illegibility. If the fax transmission is
illegible, incomplete, or received in error, the sender is notified immediately.
Documents received in error are immediately be disposed of in a secure manner.
Please see UWMF “Disposal of Protected Health Information” policy.

4. Routing. Fax transmissions of PHI are immediately routed to the intended receiver
or the patient’s record.

5. Mis-Directed Faxes. Staff should refrain from viewing misdirected faxes, unless it is
necessary to determine where the fax came from.

D. Procedure for Misdirected Faxes. UWMF considers that mis-directed faxes are a
disclosure of PHI that needs to be tracked and accounted. The following process is
followed in the event that a fax transmission containing patient PHI was sent in error or
to the wrong recipient.

1. Outgoing Faxes Sent In Error. When a fax transmission-containing PHI is not
received by the intended recipient because of a misdial, check the internal logging
system of the fax machine to obtain the mis-dialed number.

2. Incident Report. Staff shall document any misdirected fax by filling out a standard
UWMF “Incident Report” form and attach the misdirected fax or activity report to the
Incident Report. Return the form to the Safety Department. It is the responsibility of
the department sending the misdirected fax to forward this information immediately
to Safety Department. The matter is then routed to the Director of Health Information
and the Privacy Officer, who ensure that necessary steps are taken to prevent further

3. Contact Recipient. If possible, staff should call the recipient of the misdirected fax
and request that the fax transmitted be destroyed in its entirety. If a phone call is not
possible or the recipient can not be reached by phone, staff sends a follow up fax
requesting that the mistaken recipient destroy the document in its entirety.

Security & Privacy of Faxed, Printed and Copied Documents

Page 4
E. Equipment Locations to Maximize Security

1. Location. Fax machines that routinely receive transmissions of protected patient
health information are placed in secure, non-public areas. Public areas inappropriate
for the location of such equipment include, but are not limited to, primary hallways,
waiting rooms, multi-use and conference rooms and elevator lobbies.

2. Faxing After Business Hours. Special consideration is given to areas that receive
or store PHI outside of regular business hours (e.g. fax machines, printers running
overnight batch print jobs and copy pickup/drop-off points). This equipment is
located inside a room that is routinely locked or otherwise secured outside of regular
business hours. If this is not possible this equipment is shut off overnight.

3. Semi-Public Locations. Semi-public areas are acceptable locations for printers and
FAX machines if and only if staff in those locations accompany patients and visitors.
Semi-public areas may include, but are not limited to:

 Clinic hallways and work areas where patients are always escorted by staff;

 Administrative buildings which have little or no patient traffic; and

 Private office space that is enclosed but not behind locked doors.

4. Locations in Public Areas Acceptable if Attended. Copy machines are located in
areas that are not appropriate for printers and FAX machines if and only if a human
operator is present to create output containing PHI. Copy machines must be attended
during the copying of PHI.

F. Disposal of discarded paper containing PHI. Recycled or disposed of media which
contains patient PHI is disposed of in a secure manner in accordance with the UWMF
“Disposal of Protected Health Information” policy.

1. Secured Bins. All paper waste containing PHI is disposed of in receptacles that are
secured by locking mechanisms or that are located behind locked doors after regular
business hours.

2. Requesting Secured Bins. In physical locations served by UWMF Facilities
Management, locked, confidential recycling containers shall be requested by calling
the UWMF Facilities Manager at 287-2950.

3. Shredding. Paper documents containing PHI which are not disposed of in a
secured bin, are shredded as soon as discarded.

Security & Privacy of Faxed, Printed and Copied Documents

Page 5
G. Assistance. Additional assistance in determining the appropriateness of responding to
requests for disclosure of patient PHI include the following resources:
 Director of Health Information
 Facilities Manager
 Privacy Officer

H. Resources
 Disposal of Protected Health Information Policy
 Fax Cover Sheet – Administration
 Fax Cover Sheet – Clinical
 Telecommunications Policy
 Telecommunications Permission Form
 UWMF Safety Department Incident Report Form

IV. References
 HIPAA Collaborative of Wisconsin Policy & Procedure: “Fax Transmission of PHI,”
February 2003
 Chapter 895.505 Wis. Stats.

V. Author & Review

Sponsor: HIPAA Steering Committee
Author: Bill DeGowin Claudia Jane Sanders
Dan Thill
Review: Compliance Privacy Work Group PBS Privacy Work Group
Clinic Ops Privacy Work Group HIPAA Steering Committee

Committee Approval: Compliance Privacy Work Group PBS Privacy Work Group
Clinic Ops Privacy Work Group HIPAA Steering Committee
Senior Management Team
Approved: Peter Christman Date: April 11, 2003