This policy is listed for reference only and should be reviewed with your lawyer before implementing them into daily practice. We are not lawyers and are not providing any legal advice. View our legal disclaimer.

Facility Access Controls – Faxes Policy

Reference: 45 CFR § 164.312(a)(1)
Last Updated: July 5, 2023


Goal: Describes what the organization should do to appropriately limit physical access to the information systems contained within its facilities, while ensuring that properly authorized employees can physically access such systems.

The purpose of this policy is to establish a procedure for transmission of protected health and financial information (PHI) via facsimile (fax) or other means of electronic transfer, to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its accompanying regulations, and to protect the confidentiality and integrity of PHI as required by State and Federal law, professional ethics and accreditation agencies.


Procedure: We recognize and respect the fact that the patient has a right to privacy and that all information release from this office will follow the following procedures:

  • Obtain a written authorization for any use or disclosure of individually identifiable health information made via facsimile machine or software when not otherwise authorized by federal or state law or regulation.
  • Attach a cover page and fill the appropriate blocks prior to sending the information. Our present statement instructs the receiver to destroy the faxed materials and contact the sender immediately, in the event that the transmission reached him/her in error or to sign the cover page and fax back to indicate proper receipt.
  • Ensure the fax transmission is sent to the appropriate destination. Use pre-program destination numbers whenever possible to eliminate errors in transmission from misdialing.
  • Check the recipient's fax number before pressing the send key. When PHI is faxed to a destination number that is not pre-programmed, the fax machine operator will double check the accuracy of the number in the machine’s display before sending the fax.
  • Contact the receiver and ask that the material be returned or destroyed if the sender becomes aware that a fax was misdirected.
  • Contact the receiver and ask that the material be returned or destroyed if the sender becomes aware that a fax was misdirected.
  • Check confirmation. Transmittal sheets will be checked immediately after each transmission of PHI to assure that the information was sent to the correct number. If an error is detected, the sender must immediately act to correct the error, and report the error, to the Privacy Officer.
    • Attach cover page with receiver’s signature and file; or
    • Call receiver to confirm proper transmission. Annotate original cover page and file.
  • All fax machines will be placed in areas that are under continuous supervision or require security keys, badges, or similar mechanisms in order to gain access.
  • Periodically we will remind regular fax recipients to provide notification in the event that their fax number changes.

Whenever possible we will store and review periodically audit controls, like fax transmittal summaries and confirmation sheets to confirm/eliminate unauthorized access or use.

Simplify Your Compliance with
Software and Guided Coaching
Let your patients and clients know that you take HIPAA seriously with the HIPAA Seal of Compliance for your website, storefront, and marketing materials.

Get instant access to HIPAA Compliance News and Updates

You'll get your first checklist as soon as you sign up!

overlapping hands

Our Mission

To safeguard medical data by providing secure, reliable, and fully HIPAA-compliant hosting solutions, enabling healthcare professionals to focus on their primary mission of providing care.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram