Journal Q&A (1/03)

Q: Is faxing patient information legal under HIPAA?

A: If the covered entity is permitted to release the information (for treatment purposes or by authorization, for example), then using a fax machine is allowed. The privacy rule requires the entity to provide appropriate administrative, technical, and physical safeguards to protect the privacy of PHI from use or disclosure in violation of the standard. An entity should establish facsimile policies to provide this protection. Such policies might include verifying the fax number of the recipient, requesting a call back when the fax is received, and placing the fax machine in a secure location.

The rule also requires that covered entities employ reasonable procedures. The Bureau of Policy Development of the Health Care Financing Administration (now Centers for Medicare & Medicaid Services) addressed the subject of transmitting physicians’ orders to healthcare facilities via fax machine in letter no. 90-25, dated June 1990:

The use of fax to transmit physicians’ orders is permissible. When fax is used, it is not necessary for the prescribing practitioner to countersign the order at a later date. Note, however, that fax copies may fade and may need to be photocopied. Healthcare facilities should be advised to take extra precaution when thermal paper is used to ensure that a legible copy of the physician’s order is retained as long as the medical record is retained.1
1 Hughes, Gwen. “Practice Brief: Facsimile Transmission of Health Information (Updated).” Journal of AHIMA 72, no. 6 (2001): 64E-64F. Available at
Source: Journal of AHIMA 74, no.1 (2003)