Fax machines are still used in the medical community, and these days, faxing may be more secure than emailing as hackers have not yet cracked the task of hacking into old fax machines. All kidding aside, fax machines have been, and continue to be a risk to organizations as they have the ability to store data, just like copy machines.
An individual who bought a fax machine at a resale shop took it home and printed the fax transmission sheet off the fax machine. When the individual did so, the fax machine printed the health information of 20 patients of a physician who is part of a health system in Michigan. The documents included the names, addresses, dates of birth, dependents, diagnoses, test results and insurance information.
The individual called the local TV station, which investigated and traced the fax machine back to the health system in Michigan. The health system confirmed that it uses a business associate to properly dispose of the fax machines in accordance with HIPAA, and had a certificate from the business associate that the information on the fax machine had been properly destroyed. However, apparently the business associate resold the fax machine without permanently destroying the information first.
Destruction of information on devices such as copy machines, USB drives, hard drives, laptops, fax machines, and other media is required by HIPAA and the Department of Health and Human Services has issued regulations around the proper disposal of media so that it is unreadable and indecipherable. Covered entities and business associates are required to follow these regulations when destroying protected health information. Failure to follow the regulations could result in a fine or penalty by the Office for Civil Rights.