The following FAX.PLUS HIPAA Compliance Statement is intended to inform our customers who are “covered entities” under HIPAA that we are aware of their HIPAA requirements and will do our part to help ensure that their patient data is kept confidential. This Statement is not intended to take the place of a Business Associate Agreement.
We have instituted policies and procedures to ensure that our customers’ data is kept confidential. These include (not limited to) the following:
The FAX.PLUS online fax solution includes unique user identification, administrator privileges to grant and remove access, next generation (256-bit AES) encryption and other protocols to limit access to your organization’s authorized personnel only. Inbound documents may be sent to only the intended recipient’s email, limiting exposure and disclosure risks associated with faxing to a physical fax machine.
HIPAA requires careful attention be paid to data that is in motion and at rest. All fax files at rest are encrypted using 256-bit Advanced Encryption Standard (AES). To protect data in transit between FAX.PLUS apps (currently mobile, API, or web) and our servers, we use Secure Sockets Layer (SSL)/Transport Layer Security (TLS) for data transfer, creating a secure tunnel protected by 128-bit or higher Advanced Encryption Standard (AES) encryption.
FAX.PLUS employs multiple levels of audit control — from secure and automatic archiving of all faxes sent or received through FAX.PLUS for the life of your organization’s account, to software and procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
Users can access the FAX.PLUS service via Email or online only with a valid username and password combination which are SSL encrypted. An encrypted session ID cookie is used to uniquely identify each user. While logged into our servers, all communications will be encrypted at all times.
Users have the option to not save their fax data on our servers. Once activated, the user gets received faxes via email and nothing is stored on our servers. The same applies for sent faxes, in which we delete the fax data as soon as the transmission has been completed.
At the end of a Covered Entity’s contract with FAX.PLUS, they may request their data to be deleted from the FAX.PLUS Servers. No printed reports or paper copies are ever retained in our facility. If reports are ever printed to further support the Covered Entity, they are shredded immediately upon completion of the task that required the paper output.
Our datacenters are in locations conforming to the most restrictive security standards (ISO 27001) and they are part of the Cloud Security Alliance (CSA). They also conform to the OCF Level 1, having completed their Cloud Control Matrix which maps to the following selected frameworks: COBIT, HIPAA / HITECH Act, ISO/IEC 27001-2005, NISTSP800-53, FedRAMP, PCI DSSv2.0, BITS Shared Assessments, GAPP.
We’re always assessing risks and improving the security, confidentiality, integrity, and availability of our systems. We regularly review and update security policies, provide our employees with security training, perform application and network security testing (including penetration testing), conduct risk assessments, and monitor compliance with security policies.
We sign Business Associate Agreement (BAA) with users of our Enterprise plan.