Are Fax Transmissions Covered Under 201 CMR 17.00?

Massachusetts Privacy Protection Law 201 CMR 17.00, which goes into effect March 1, 2010, does not specifically call for the encryption of fax transmissions, nor does it specifically mention how fax transmissions should be handled.  With that said, the intention of the law was NOT to exempt fax transmissions of personal information (PI) from consideration when creating a Comprehensive Information Security Program (CISP).  There are a couple of sections in the regulations that do refer to the transmission of PI and therefore, one could reasonably assume, that the Commonwealth would have you consider these sections when considering your organizations policy around the handling of fax transmissions containing PI.

Here’s a few things to consider when you begin encorporating fax policies into your Comprehensive Information Security Program.

When transmitting PI outside your organization, to third party vendors in particular….

  • Taking reasonable steps to select and retain third?party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and

Section 17:03.2f.2

  • Requiring such third?party service providers by contract to implement and maintain such appropriate security measures for personal information; provided, however, that until March 1, 2012, a contract a person has entered into with a third party service provider to perform services for said person or functions on said person’s behalf satisfies the provisions of 17.03(2)(f)(2) even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as said person entered into the contract no later

When transmitting PI within the organization…

  • Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks.

Section 17:03.2.g

  • Reasonable restrictions upon physical access to records containing personal information,, and storage of such records and data in locked facilities, storage areas or containers.

Section 17:04.3

  • Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.

Things Your Organization Should Consider

When considering incorporating fax policies into your CISP, there are some considerations that will fall under best practices.  I believe the handling of fax transmissions should be considered as such an area.  Here are a few questions to answer.

  • Is the fax machine using Plain Old Telephone System?
    • If so this would not be considered a public transport but rather a private, 2nd party connection.  Therefore it would not fall under Section 17.04.3. However, from a best practices approach you need to consider how the process of transmitting PI via fax is going to be handled within your organization to insure that the risk of exposing PI s minimized.
  • Where is the fax going? Is the recipient another fax machine or is it an email account or an eFax account?
    • If the transmission is going to another fax machine then putting a process in place for handling faxes should suffice to meet the requirements of 201 CMR 17.00.  However, if the recipient is an email account or an eFax account you may also need to consider the requirements for encryption of the PI stored on the recipients computer as specified in Section 17:04.5 Encryption of all personal information stored on laptops or other portable devices.
  • From a best practices process approach to handling fax transmissions you should consider.
    • Maintaining transmission and transaction log summaries.
    • Verify all destination numbers prior to any transmission.
    • Notify recipients that a fax containing PI is on the way prior to its transmission.
    • Confirm with the recipient that the fax was delivered (email or phone).
    • Store received faxes in a secure location
    • Insure that a cover sheet is included with every fax containing PI and that the cover sheet clearly states that there is PI contained in the transmission
    • All fax machines should be placed in a secure area and should not be generally accessible
    • Insure that fax transmissions are sent to secure destinations.  At a minimum, the recipient should be following the same security procedures as your organization.
    • Maintain a copy of the confirmation sheet or the fax transmission

While it might be easier to take the approach that says, “the regulation didn’t specifically state how we should handle fax transmissions, therefore they must have excluded that on purpose”,  we know that’s not the spirit of 201. The objectives of this regulation are to insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.

Let’s roll up our sleeves here and do a bit of heavy lifting here.  Even if it’s only to get that fax into a secure area……

Special thanks to the MA 201 CMR 17 Data Privacy and Protection Laws group on Linkedin for all the input.

Previous ArticleThe 201 CMR 17.00 Compliance Deadline of March 1, 2010 Is Rapidly Approaching. Next ArticleMassachusetts group to pay $1.5M HIPAA settlement