Some time ago, I had a post about how I was surprised that my new doctor in California had to have my old medical records transferred from Ohio by fax and not by any other more efficient electronic means. In the comments, lochaber suggested that this may be due to HIPAA and they were right.
The 1996 Health Insurance Portability and Accountability Act (better known by its acronym HIPAA) governs the use of people’s medical information. In particular it lays down rules for protecting patient privacy and what are the safe and secure ways for health care providers to share patient information with stiff penalties for violating patient confidentiality. The HIPAA list included faxes because at that time that was the most secure way of transmitting information. So even though we now have more secure ways of transmitting data via email and other electronic means, medical providers still use faxes.
The pandemic has made this a much more serious problem than before because keeping track of people who have tested positive for covid-19 has become an urgent matter and using faxes results in delay, duplication, and errors, as discussed in this segment from the radio program On The Media.
More than half a million coronavirus tests are being performed in the United States every day. For each of those tests, there is a person with a name, address, contact information, and perhaps even health history. Ideally this crucial data travels between clinics and labs, to officials and contact tracers, via the internet. Often, though, it’s faxed.
Apparently fax machines are being overwhelmed, spewing out so much paper non-stop that they are falling on the floor. Some offices have had to buy new fax machines to keep up with the load.
Clearly the law needs serious updating.
blf says
I’ve never considered faxes secure. The problem I have is illustrated by a story from last century. I was working at my company’s office in Europe, and for (legitimate) reasons I don’t now recall, my company’s main office in the States needed the details of my States-side bank account. They asked me to fax the details. I point-blank refused, pointing out individuals other than the intended recipient would see and could read the fax — e.g., the mailroom staff on both sides of the pond who operate the machines.
Whilst I as the sender or receiver may be able to control who sees the fax on my end (I wasn’t so able in the above story), I’ve no knowledge of who sees the fax on the other end. For perhaps many situations this perhaps isn’t a big deal, but for some sensitive data, such as bank details, it is. (Nowadays, you can send and receive faxes from a computer, which can change the security / risk calculus; back then, at least for that incident, it wasn’t an option.)
Owlmirror says
Those are seriously out-of-date offices. Modern fax systems can store the fax digitally, to be printed later or added to an electronic file as necessary.
sonofrojblake says
“Some offices have had to buy new fax machines”
Where from? The same place they get their cassette Walkmans and NESs presumably.
Marcus Ranum says
HIPAA is rooted in late-1990s security; the FAX was because it’s a point-to-point connection; email at that time had no integrity or confidentiality. It still doesn’t. In fact security is still passwords and point-to-point connections.
The government ought to have learned how to build enclaved value-added single-purpose networks to serve as interchanges for e-voting, medical information, congressional email, etc. but there were “cost savings” in using the internet and phone networks -- cost savings vastly offset by management costs for trying to secure communications over shitnet and to keep the curious out. The only reason it hasn’t been a disaster like everything else is because hackers prefer credit card data and patient information is only of interests to insurers, who get what they want in other ways.
It’s just one example of many where expedient solutions were kludged into place and will eventually cost many times more than doing it properly. Meanwhile DHS/FBI fusion centers have the best gear and a massive private network. Priorities are pretty obvious.
Marcus Ranum says
New fax systems convert to a PDF, do a text recognition, and email the result to the recipient. In other words, FAX is email over 4800baud modem -- it’s uucp with PDF instead of uuencode. Of course there are FAX systems that use VANs or WAN gateways to send the message 99.9% of the way there over TCP/IP before bungeeing out and doing the last mile over analog. You can’t make this shit up, it’s as stupid as a giraffe’s vagus nerve.
Marja Erwin says
Is this always why they rely on phones for everything?
So many times I’ve had to use the email contact and explain, “hi, I can’t use phones, is there another way to check whether you accept medicaid/ask about accessibility/schedule an appointment?” “If you are having trouble, please call us at …” “hi, I can’t use phones, is there an accessible alternative?” “please call us at …” “Sorry, but I can’t use phones.” “In that case, call us at …”
Tabby Lavalamp says
You’d be surprised by how many businesses still use faxes. Heck, it’s enough that fax spam is still a thing.
lochaber says
I don’t really have anything substantial to add, but just wanted to say thanks for the mention, I’m flattered! 🙂
machintelligence says
Want a fax machine? Just buy any “all in one” printer.
There are dozens of models out there.