8/9/2012
It has come to the attention of the Early Intervention program that many providers are still using Electronic Fax Services "E-Fax" to send and receive faxes. These services such as Myfax, Faxage, MaxEmail, and others have been determined by the Department to not comply with the privacy requirements of HIPAA and FERPA. Per the Early Intervention Provider Agreement, you are required to "Comply with HIPAA Standards 45 CFR Parts 160, 162 and 164 and any additional parts that may be finalized in the future, where applicable" and "Not use or disclose protected health information except as allowed by the HIPAA Standard 45 CFR Parts 160 and 164 and not use of disclose EI records except as allowed by FERPA." These services are not compliant due to the following:
- Protected information is passed over multiple secure firewalls.
- Information is stored on 3rd party servers.
- All reviewed user agreements grant the E-Fax service provider the right to review any and all data sent using its service to diagnose technical problems. This would give unauthorized individuals access to protected information.
- Fax's can be converted and sent and received via unsecured email accounts.
- Faxes can be sent and received using portable communication devises (smart phones, tablets, etc).
The Program has reviewed several of these sites, and although many claim to offer "secure" communications, that cannot be guaranteed and does not meet the privacy requirements associated with Personally Identifiable Information and/or Protected Health Information. If you are utilizing an E-Fax service you are requested to immediately cease using said services. Continued use of E-Fax services would be considered a breach of privacy requirements and a potential violation of your provider agreement. If you have any question you may contact Blake Whitson the Early Intervention Privacy Officer at 217-557-9603 or atblake.whitson@illinois.gov.
