CallTower and HIPAA
CallTower is fully committed to complying with relevant regulations. Should you wish for more information or clarification on any HIPAA related issues that involve CallTower, please do not hesitate to contact support department.CallTower Patient Confidentiality and Security Measures. CallTower recognizes that security of personal medical record information is of great concern to both patients and providers in the health care industry. To address these concerns, CallTower has implementing 3 levels of security to faxes:
- The CallTower system provides a full audit trail of faxes submitted and sent through the system. This information is visible online and optionally in confirmations returned to the sender of a message.
- CallTower accepts messages submitted to its systems in encrypted form, whether by SSL or signed email (PKI).
- CallTower does not enable its customer service staff access to viewing patient-identifying content, and deletes messages with patient-identifying content immediately after their completion, based on a user-level setting indicating 'Delete image after completion'.
- CallTower uses security methods to determine the identity of its users and operators so that appropriate rights and restrictions can be enforced for that user. CallTower uses both password protection and usernames in its authentication process.
- All CallTower servers are housed in secure environments, which can be accessed by approved personnel only.
CallTower does not retain copies of faxes containing patient health information. This is achieved by requiring clients who are covered entities to apply the following measures as prerequisites for transmitting patient-identifying health information through our systems:
- Use SSL or PKI to send messages to CallTower - CallTower enables SSL-secured communication to our Web Service servers and public-key encryption of email messages, so that potentially patient-identifying information can be submitted securely for faxing.
- Use the 'Delete image after completion' feature - This setting may be selected through your account sending preferences. It is intended to keep patient-identifying information on our servers no longer than is necessary to send a fax or to announce its failure (several minutes). When this feature is set, images of faxes sent through the service, as welthe l as precursor and temporary files, will immediately be deleted from our servers upon completion.
- Avoid placing patient-identifying information into any data fields - Verify that patient-identifying information is only present in the body of the outgoing fax. All other parts of a transaction are retained indefinitely for billing and archival purposes. Since CallTower does not address HIPAA requirements in the handling of its archives, patient-identifying information must not reside anywhere except in the fax itself.
CT Fax Services
The department of Health and Human Services, which governs the HIPAA regulations, defines electronic media as: (45 CFR § 160.103)
Electronic media means:
(1) Electronic storage material on which data is or may be recorded electronically, including, for example, devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card;
(2) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet, extranet or intranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission.
There is a big distinction between storage and transmission. HHS provides a ‘conduit exception’ when it comes to the transmission of PHI.
As we have stated in prior guidance, a conduit transports information but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law.
We note that the conduit exception is limited to transmission services (whether digital or hard copy), including any temporary storage of transmitted data incident to such transmission.
CallTower’s CT Cloud Fax and Masterfax are transmission delivery services of the Fax to the customer’s email or onsite fax machine. Neither CT Cloud Fax nor Masterfax provide fax storage services for our customers. CT Cloud Fax receives the fax, converts to an image and then sends it to the customer’s email via encryption. The fax not stored on the system. Masterfax provides a reliable extension of dial tone to a customer’s onsite fax device, with no fax retention.
With both platforms, storage of the Fax is in the customer’s email system or on their fax device. The customer is responsible to ensure their email system and / or fax devices meet HIPAA Security regulation.
Despite this exception, CallTower takes security very seriously. As a result, CT Cloud Fax will use TLS encryption to deliver email to any encryption capable mail server, such as Office 365 or most modern on-premise email platforms. For customers with onsite fax devices, Masterfax uses HTTPS based encryption between your device and the Masterfax platform.