Question about HIPPA and faxes...

  1. I am sure there will be someone out there who can help me find the answer to this question...

    We were told today at work that EVERYTHING we fax must have a cover sheet on it. This is suppose to include information faxed internally too. Our physician order sheets are carbon-less copies that we pull the copy off and fax the med orders to our pharmacy. Now we are told that even those papers will have to have a cover sheet. We fax AT least 100 times to pharmacy in 12 hour shift....sure seems like an awful lot of paper waste. I totally understand the need to have cover sheets when we are faxing something outside of our facility, but internally? Please, someone tell me that our administration is going overboard with this. They have a tendency to do that....Thanks...
    •  
  2. 16 Comments

  3. by   P_RN
    Going to a paperless system seems to be using more paper than before. I don't recall internal faxes needing cover sheets....is this an internal rule? I do know the fax machines have to be in a secure place, not visible to passers by
  4. by   researchrabbit
    Can you have one generic cover sheet that you use? I think what they are trying to avoid is someone walking by the fax machine and seeing a patient's name.
  5. by   Scott_T
    I'm not a lawyer, but am familiar with HIPAA privacy rules. It would seem to me that internal faxes needing cover sheets would be a little overboard. HIPAA allows for what is called "incidental disclosure", so even if someone other than the intended recipient were to pick up a fax not intended for them, it could be considered "incidental disclosure." It sounds like they are simply trying to cover their rears without fully understanding the intent of the new rules. As someone echoed earlier, an external fax I could understand, but one to the pharmacy? Sounds excessive to me.
  6. by   Talino
    I'm am not making a comment to dispute nor debate your administration's decision. Unless you sit with them in a policy decion-making capacity, I'd rather find a way to abide by it.

    Anyhow here's a fact about HIPAA and FAX...
    http://www.hipaadvisory.com/action/faxfacts.htm

    ... as you can see, it's not only about a "privacy disclosure cover sheet"

    If you use ONE cover sheet preprinted with the addressee name (maybe printed in a bright colored paper) and enclose the same one with every Fax transmission, you won't be using too many paper. As for the recepient receiving an extra page, recycle them. Eventually it'll become a habit.
    Last edit by Talino on Nov 19, '02
  7. by   deespoohbear
    Thanks for all the replies. The fax machine is behind the nurses' station and not accessible to the public. Somebody would need to have Superman vision to be able to read the names from the fax. We have a generic sheet that we can use over and over, but it sure is going to be a lot of paper for the pharmacy. Our department actually does a lot more faxing out than receiving faxes. Plus, how are we going to prove in the patient's chart that the information we faxed actually got to the intended recipient? The way I see it, unless we put some kind of record in the patient's chart there really isn't anyway to prove that fax got to where it was suppose to be. Anyone else totally lost now?
  8. by   WashYaHands
    After reading the info on the web site that Talino posted, it seems that the purpose of the cover sheet your administration is requiring is a tool to decrease the incidence of a fax being sent to the wrong dept. (Incidental disclosure). I agree with above posters in using a generic cover sheet for each dept. that you send faxes to, color coding these would save time. For example, a generic yellow cover sheet always goes to pharmacy, a generic pink cover sheet always goes to respiratory, etc. You can reuse the cover sheets, and wouldnt have to fill one out for each fax you send.
  9. by   Talino
    Plus, how are we going to prove in the patient's chart that the information we faxed actually got to the intended recipient?
    ... you get a confirmation receipt of each Fax transmissions don't you? Well, if this would really be an issue, you may need to start storing these receipts or attaching it to every faxed item. Now we're talking real mountains of paperwork eh? Hmmmm, reminds me of receipts I keep for a dubious "tax" audit.

    Most likely your administration has already in place a HIPAA compliance protocol. Your concerns are legit but let your bosses worry about it and be worthy of their fat checks. Your patient is more interested in your TLC.:kiss
  10. by   Scott_T
    We're all talking about a standard that has not even been published. The HIPAA security guidelines are still "proposed", not official. My personal belief is that the color coded cover sheets might complicate the issue and you'll end up sending something to a location you didn't intend to through the use of these prepepared cover sheets. Obviously, if it's the policy of your organization to always use a cover sheet, then always use a cover sheet.

    That said, if I remember correctly, the original question was whether or not this particular administration was going overboard or not. In my opinion it is. By the way, I see nothing on the website mentioned (which, by the way is simply one lawyer's opinion), that says you have to use a cover sheet. Maybe I'm missing it, but I don't think so.

    In general, people have way overblown what is required by HIPAA. 98% of it is about taking reasonable steps to protect PHI. The most important thing to remember is that no policy should negatively affect patient care. If a particular administration's policy does that, they need to find other ways to comply with HIPAA.
  11. by   Talino
    Originally posted by Scott_T
    We're all talking about a standard that has not even been published. The HIPAA security guidelines are still "proposed", not official.
    Check this out..

    http://www.hhs.gov/news/press/2002pres/hipaa.html

    ...even granting it is still "proposed", then it's justifiable for an organization to go "overboard." You'll never know what's what.

    Originally posted by Scott_T
    By the way, I see nothing on the website mentioned (which, by the way is simply one lawyer's opinion), that says you have to use a cover sheet. Maybe I'm missing it, but I don't think so.
    "ADMINISTRATIVE PROCEDURES
    Include a pre-printed confidentiality statement on all fax cover sheets. The statement should instruct the receiver to destroy the faxed materials and contact the sender immediately, in the event that the transmission reached him/her in error."

    I guess if you don't use a cover sheet, it's "do whatever you want with it for the recipient", eh?

    You're correct he's a lawyer all right, but check out his bio in the bottom of this page...

    http://www.hipaadvisory.com/action/l...tm#SteveFoxBio

    I sure wouldn't mine an expert's opinion.

    Originally posted by Scott_T
    In general, people have way overblown what is required by HIPAA. 98% of it is about taking reasonable steps to protect PHI. The most important thing to remember is that no policy should negatively affect patient care. If a particular administration's policy does that, they need to find other ways to comply with HIPAA.
    Your absolutely right , thanks to a free info site...

    http://www.hipaadvisory.com/regs/index.htm
  12. by   NRSKarenRN
    Does the originator of this ruling realize that you fax 100 times a day to pharmacy just from your ONE unit? Tha'ts 100 coversheets x 5 nursing units =500 extra pieces of paper???

    As long as used INTERNALLY within your institution to a PREPROGRAMED fax number, a coversheet shouldn't be necessary. If you are faxing to an infrequent location, a coversheet would be a good idea in case fax # is changed or down. All faxes OUTSIDE your facility, especially to physician offices should have a cover sheet.

    Agree with Scott:
    HIPAA allows for what is called "incidental disclosure", so even if someone other than the intended recipient were to pick up a fax not intended for them, it could be considered "incidental disclosure."
    YEs, you need to have a preprinted confidentiality statement on all fax cover sheets. The statement should instruct the receiver to destroy the faxed materials and contact the sender immediately, in the event that the transmission reached him/her in error

    Some of the facilities our intake department get faxes from have notices that state to refax information back to the sender. Other coversheets (including my own agency) request them returned via U.S. MAIL--- with the idea that return this way guarantees that they've been returned to you. Told my VP that was hogwash as anyone could copy and distribute the errant fax even with such a notice and that NO ONE has ever followed this policy. Most error recepients call then fax back the info to our department. (Mostly its that we sent a Pittsburgh referral to our NJ office etc).

    If you DO do a lot of faxing to outside sources, I suggest a standard cover letter with offices names/fax number listed. You can then just circle the appropriate party and have correct number to fax --right on the form. Since we send a great many Verbal orders and plans of treatment needing signature to same docs weekly, we just white out date and add current one--- after a few days we use fresh copy. We keep a copy of forms for each doc listed in an aphabetical filebox--one copy in plastic sheet so we know to copy last one.

    We also have a form used to fax hospital discharge planners (DP) to notify them of a homecare patients admisson--it contains with top 10 hospitals DP/case mgmt names and numbers--just check the facility, add pts name and DOB and secretary faxes. We keep faxed sheet in chart as proof of hospital coordination---also that we want our patient BACK.
    Last edit by NRSKarenRN on Nov 19, '02
  13. by   deespoohbear
    NRSKarenRN-

    I knew you would have an answer for me. Thanks. No, I don't think the people making this rule up have even considered the fact that our fax machine goes practically non-stop to pharmacy from 7am-10pm, and then some. The pharmacy fax is a preprogrammed number, it is actually the number one button on the preprogrammed keys. The funny thing is, half the time the pharmacy can't read what is on the faxed copy anyway and call us for clarification...

    I am really starting to dread this HIPAA thing. I think it will go to far the other way and the people who have a right to know will have to jump through hoop after hoop to get just the basic information....This will probably be something else that will drive people away from nursing and other healthcare occupations...
  14. by   Scott_T
    Originally posted by Talino
    Check this out..
    I'm not sure what you wanted us to check out on the HHS web site, but here is a quote:
    "Security standards. In August 1998, HHS proposed rules for security standards to protect electronic health information systems from improper access or alteration. In preparing final rules for these standards, HHS is considering substantial comments from the public, as well as new laws related to these standards and the privacy regulations. HHS expects to issue final security standards shortly."

    If you know your HIPAA history, you'll know that these security standards have been expected for quite some time and keep getting delayed. Also, for those that are not aware, the privacy regulations were changed substantially between the final draft proposals and the published provisions. The incidental disclosure rule I mentioned earlier is an example of something that substantially changed at the very end. HIPAA consultants like Mr. Fox were portending gloom and doom for YEARS prior to the release of the privacy regs. We were told for example, that we would be unable to discuss patients except in soundproof rooms. The way the original regs were written, one could well have interpreted things that way. Now, common sense has prevailed and it's business as usual in this regard. We are able to discuss patients pretty much as we've always done. The point is that EVERYTHING in relation to the security regs, including this lawyer's website, is speculation at this point. We simply don't know what the final rules are going to say in regard to this issue. To insinuate otherwise is misleading.

    Originally posted by Talino
    "ADMINISTRATIVE PROCEDURES
    Include a pre-printed confidentiality statement on all fax cover sheets. The statement should instruct the receiver to destroy the faxed materials and contact the sender immediately, in the event that the transmission reached him/her in error."
    I think you're misinterpreting this. It's one thing to say that all fax cover sheets should have a confidentiality statement, it's another entirely to assume from that statement that coversheets are required in all circumstances. I fully agree that when faxing anything containing PHI to someone outside the organization, that a confidentiality statement is needed. I don't agree that such a statement is needed if the fax is sent internally. Generally all hospital employees sign a confidentiality agreement as a condition of employment. As such, my opinion is that adding confidentiality statements to internal paperwork is unneeded and a waste of time and paper.

    Originally posted by Talino
    You're correct he's a lawyer all right, but check out his bio in the bottom of this page...

    http://www.hipaadvisory.com/action/l...tm#SteveFoxBio

    I sure wouldn't mine an expert's opinion.
    There's nothing wrong with opinions; I like opinions. Just don't decide his opinion is gospel because the guy's a lawyer with some healthcare experience. Even Mr. Fox has a disclaimer on his website that says:
    "Disclaimer: Steve's responses offer information that is general in nature and should not be relied upon as legal advice. Only your attorney is qualified to evaluate your specific situation and provide you with customized advice."

    That's good advice. There are often state provisions that conflict with, or supersede HIPAA, so it's always advisable to have your own "expert" review this before drawing any conclusions.

    To me making policies to coincide with provisions of a proposed rule that won't be enforced for at least 2 years is a bit excessive. What's to say the provisions won't change? Personally, I'll wait till things are finalized before changing any of my policies. (I'm the HIPAA Security Officer for my organization.)

    Originally posted by Talino
    Your absolutely right , thanks to a free info site...
    I don't think I understand this comment, but your posts sure are starting to sound like an add for the website you quoted! I'm not saying there's anything wrong with that site in particular, but putting all your eggs in one basket, (so to speak) is never a good idea.

    Thanks,
    Scott
    Last edit by Scott_T on Nov 19, '02

close