Recently Asked Questions (RAQs)

Outside of best practices for staff handling of sensitive documents, are public libraries otherwise bound by HIPAA, FERPA and SOX when sending faxes for patrons, in terms of the privacy protections provided (or not) by the type of fax technology?

Our library currently uses a traditional standalone fax machine (staff mediated) to send and receive public faxes across a dedicated copper phone line, so there’s a direct connection between receiver and sender, maintaining privacy during transmission. Faxing remains a popular service here largely for that reason -- patrons are often told by the fax destination that documents must be sent via fax and not scanned to email.

We’ve been told that copper phone lines will soon be eliminated, so we’re investigating fax-to-email services, which are cheaper than our current method and can use our public copier as the faxing device. However, the Forbes article linked below says faxing by email does not offer privacy protections: “Virtual fax introduces an intermediary into the fax process; there’s no direct connection between the sending and receiving parties. This can be problematic if your business has certain regulatory compliance requirements to support (for example, HIPAA, FERPA and SOX).” The article cites an encrypted kind of fax by IP, “T.38 Fax Lines,” which we suspect would not be cost effective for us.

Are libraries bound by HIPAA et al in the type of faxing technology they can use?