Libraries, Fax Machines, and Data Security Obligations
Submission Date
Question
Outside of best practices for staff handling of sensitive documents, are public libraries otherwise bound by HIPAA, FERPA and SOX when sending faxes for patrons, in terms of the privacy protections provided (or not) by the type of fax technology?
Our library currently uses a traditional standalone fax machine (staff mediated) to send and receive public faxes across a dedicated copper phone line, so there’s a direct connection between receiver and sender, maintaining privacy during transmission. Faxing remains a popular service here largely for that reason -- patrons are often told by the fax destination that documents must be sent via fax and not scanned to email.
We’ve been told that copper phone lines will soon be eliminated, so we’re investigating fax-to-email services, which are cheaper than our current method and can use our public copier as the faxing device. However, the Forbes article linked below says faxing by email does not offer privacy protections: “Virtual fax introduces an intermediary into the fax process; there’s no direct connection between the sending and receiving parties. This can be problematic if your business has certain regulatory compliance requirements to support (for example, HIPAA, FERPA and SOX).” The article cites an encrypted kind of fax by IP, “T.38 Fax Lines,” which we suspect would not be cost effective for us.
Are libraries bound by HIPAA et al in the type of faxing technology they can use?
Answer
This is a great question. Before we jump into it, let’s summarize the three types of faxing set out in the referenced article:
- “Walk-up Faxing” (on a copper line)
- “Virtual Fax” (it’s really email![1])
- “Real-Time T.38 Fax Lines” (still e-mail, but with a better connection)
The “T.38” as a “best practice” intrigued me, so I dug in to see if there was any case law featuring it.
There is! And it digs into the capability of the T.38: [2]
Defendant further attacks Richard’s credibility by claiming that his testimony reveals his failure to understand the intricacies of fax technology. These critiques are frivolous. For example, defendant claims Richard’s credibility is undermined by his allegedly inaccurate testimony that: (1) MessageVision used only the T.30 protocol; and (2) a device such as MessageVision’s that uses the T.38 protocol cannot use the T.30 protocol. Even if defendant is correct that Richard’s testimony reflects his limited comprehension of fax technology—a proposition that appears to be dubious at best—defendant’s argument is contradicted by the fact that his own expert admits that T.38 converts to T.30 when a fax is sent using APX 1000.
Well then.[3]
So, with “the intricacies of fax technology” now established as a legal niche, let’s take the questions about faxing and regulatory compliance acronym-by-acronym.
- FERPA
- HIPAA
- SOX[4]
1. Libraries, Fax Lines, and FERPA
FERPA does not apply to public libraries, so we’ll discuss it in the context of school libraries.
Academic libraries at institutions that receive federal assistance have to follow the “Family Education Rights Privacy Act,” which (among many other things) restricts third-party access to education records.[5]
As an example: if I am a student at ABC College, I need to borrow something via an inter-library loan, and (for some odd, steampunky reason) the lending library will only receive loan requests by fax, FERPA could restrict third-party access to the request, if the request lists me (the student) by name as the borrower.[6]
In this case, the manner in which the fax is sent (copper, email, fancy T.38) does not matter. What matters is that either a) I consented for my FERPA-protected education record to be shared with a third party or b) inter-library lending is set up in a way that makes lending libraries (sorta) part of the institution under 34 CFR § 99.31.[7]
After that, the fax simply has to be sufficiently secure to get it from point A (the library) to point B (the other library) without disclosure to a third party.[8]
So that’s FERPA.
2. Libraries, Fax Lines, and HIPAA
HIPAA and other laws related to medical privacy are important and high-stakes; the fine for a HIPAA violation is $50,000 dollars.
Before we delve into this, aside from a hospital librarian or librarian serving a program providing health services, there is NO CIRCUMSTANCE under which a public, academic or public library should be engaging in a HIPAA-governed communication.[9]
What do I mean by “HIPAA-governed communication?” Here’s the type of information governed by HIPAA:[10]
Individually identifiable health information
The term “individually identifiable health information” means any information, including demographic information collected from an individual, that—
(A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and—
(i) identifies the individual; or
(ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
If your library is not transmitting this type of information,[11] you can stop sweating about HIPAA, even if patrons are using your fax to send it, or (at an academic library) the health center on campus has to abide by it.
Now, if you are a library in a teaching hospital, etc., here is the deal: your institution needs to step up and provide you with 100% assurance that you have the right policies, technology, and practices to be compliant.[12] This includes assurance of a fax line that is secure, which can be any of the three solutions, so long as it is set up right and maintained properly.[13]
So that’s HIPAA.
3. Libraries, Fax Lines, and SOX
While the accountants who audit your library or larger institution may (rightly) hold themselves to the standard set by “Sarbanes-Oxley” (SOX), which was passed in 2002 to protect investors in publicly traded companies, SOX does not govern the data transmission practices of a public or academic library.
But the mention of SOX in the Forbes article referenced in the question intrigued me—it says, “Virtual fax... can be problematic if your business has certain regulatory compliance requirements to support (for example, HIPAA, FERPA and SOX).”
So, I took a look to see if there has been a SOX case involving an insecure fax... and there is!
Here is what happened as told by Judge Denise Cote in Seybold v. Groenink:[14]
In October 2004, while the chairman of ABN’s Managing Board, defendant Rijkman Groenink, met with Federal Reserve Bank regulators in New York over the Eastern European transactions, he received a fax at the Ritz-Carlton Hotel concerning the results of an internal ABN investigation regarding Iran-Libya transactions. Groenink allegedly ordered his aides to destroy the report and to stop sending sensitive documents to the United States.
So, if you are at a library near a business school prepping students for stellar careers in international business... it may be helpful to show that we must all fax wisely.
Does this mean your library needs a T.38? No, but it does mean that asking questions and developing secure systems is important.
You may even want to do the research and see if you can fight to keep at least one copper line.[15] There is strength in having a diversity of technology.[16]
Thank you for an excellent question!
Update 7/23/2025: We received a followup question on this topic; read our answer here.
[1]^ For this question, I will assume that the academic library is using the institutionally assigned and controlled email, which is generally either an in-house service or a third-party provider with a contract that addresses privacy/security.
[2]^ This tech-takedown was issued by U.S. District Judge Robert Gettleman in Ira Holtzman, C.P.A., & Assocs. v. Turza in 2011. Citation: U.S. Dist. LEXIS 97666, 2011 WL 3876943.
[3]^ This paragraph is the judicial equivalent of what in videogames is called “pwnage.”
[4]^ FAX in FERPA, HIPAA in SOX... HIPPA with FERPA on FAX in SOX!
[5]^ Ask the Lawyer has tackled FERPA elsewhere, see: FERPA and NYS Privacy Laws and Patron Confidentiality in School Libraries for two examples.
[6]^ Why this would happen outside a hypothetical situation eludes me, but if you are at an academic library that includes patron names in ILL requests (aside from those enabled by an interconnected/automated ILS), please write adams@losapllc.com, because I am curious how that works.
[7]^ This section of FERPA is how institutions do things like use outside providers to held run residence halls, consult on student outcomes, and in general assist with institutional functions that require access to education records.
[8]^ This means the email used to send the virtual fax needs to be a secure, institutionally-controlled email on both ends, but one would hope that is not a heavy lift.
[9]^ A good resource to assess if you are at a HIPAA “covered entity” is at https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html.
[10]^ See 42 USCS § 1320d.
[11]^ What your patrons are doing is their own business. Of course, if they have stolen the health information of a person and are now using your fax machine to engage in identity theft, the might a violation of your Code of Conduct (and about three laws), but it is still not an illegal act by the library.
[12]^ Seriously... this cannot be self-diagnosed. The lawyer for your institution should sign off on it.
[13]^ And with that, we have hit the threshold of my techy savvy.
[14]^ 2007 U.S. Dist. LEXIS 16994, 2007 WL 737502.
[15]^ I did. And yes, my law office still faxes. Like the article said, it’s still very much a thing.
[16]^ Look, sir. Look, sir. It’s our fax, sir. Let’s do tricks with lines and wires, sir. Let’s do tricks with code and lines, sir.
