Skip to Main Navigation
Skip to Main Content
The University of Texas at Dallas

HIPAA Privacy Manual

Section 13: Fax Transmittal of PHI


Medical Record Custodian: The person or department who is responsible for the maintenance, retention, access, data integrity, and data quality of PHI. The medical record custodian must ensure that the medical record(s) in their possession is maintained confidentially and only released with proper authority.

Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form or medium, including oral, written, and electronic. Individually identifiable health information relates to an individual’s health status or condition, furnishing health services to an individual or paying or administering health care benefits to an individual. Information is considered PHI where there is a reasonable basis to believe the information can be used to identify an individual.

Treatment, Payment, and Health Care Operations (TPO): Three core functions of providing health care to patients. Treatment involves the administering, coordinating and management of health care services by UTD for its patients. Payment includes any activities undertaken either by UTD or a third party to obtain premiums, determine or fulfill its responsibility for coverage and the provision of benefits or to obtain or provide reimbursement for the provision of health care. Health care Operations are activities related to UTD’s functions as a health care provider, including general administrative and business functions necessary for UTD to remain a viable health care provider. For a more detailed definition of TPO.


It is the policy of UTD to protect the facsimile transmittal of PHI and hold individuals responsible for following the proper procedure when PHI is sent via facsimile. UTD protects the confidentiality and integrity of confidential medical information as required by law, professional ethics, and accreditation requirements. This policy defines the minimum guidelines and procedures that must be followed when transmitting patient information via facsimile.


All personnel must strictly observe the following standards relating to facsimile communications of patient medical records:

  • PHI will be sent by facsimile only when the original record or mail-delivered copies will not meet the needs for TPO. For example, personnel may transmit PHI by facsimile when urgently needed for patient care or required by a third-party payer for ongoing certification of payment for a patient.
  • Information transmitted must be limited to the minimum necessary to meet the requester’s needs.
  • Except as authorized by the individual’s consent to TPO, or federal or state law, a properly completed and signed authorization must be obtained before releasing PHI General Uses and Disclosures Policy.
  • The following types of medical information are protected by federal and/or state statute and may NOT be faxed or photocopied without specific written patient authorization, unless required by law. Confidential details of:
  1. Psychotherapy (records of treatment by a licensed psychologist).
  2. Other professional services of a licensed psychologist
  3. Social work counseling/therapy
  4. Domestic violence victims’ counseling Sexual assault counseling
  5. HIV test (each release request.)
  6. Records pertaining to sexually-transmitted diseases or alcohol and drug abuse records protected by federal confidentiality rules

The Facsimile Cover Letter must be used to send faxes containing PHI. All pages plus the cover page of all confidential documents to be faxed must be marked "Confidential" before they are transmitted.

Personnel must make reasonable efforts to ensure that they send the facsimile transmission to the correct destination including:

  • Preprogramming frequently used numbers into the machine to prevent misdialing errors.
  • Periodically and/or randomly checking all speed-dial numbers to ensure their currency, validity, accuracy, and authorization to receive confidential information.
  • For a new recipient, the sender must verify the fax number by requesting the recipient submit a faxed or email request for PHI, which would include the fax number of the recipient.
  • Periodically reminding those who are frequent recipients of PHI to notify UTD if their fax number is to change.

Procedure for Faxes Sent Successfully:

For TPO purposes: The department sending the fax for TPO purposes is not required to maintain a copy of the fax transmittal or fax confirmation sheet. However, it is at the discretion of the department whether a copy is maintained for future reference.

For Non-TPO purposes: Medical record custodians must maintain the fax cover sheet and the fax confirmation sheet or activity report if the PHI is sent for non-TPO purposes (external).

The department sending the fax must account for the disclosure in accordance with the Accounting for Disclosure policy. The fax cover sheets should be routed to MRD for entry in the Accounting for Disclosure Database. (Accounting for Disclosure).

Procedure for Misdirected Faxes (for both TPO and non-TPO purposes):

  • If a fax transmission containing PHI is not received by the intended recipient because of a misdial, check the internal logging system of the fax machine to obtain the misdialed number.
  • If possible, a phone call (supplemented by a note referencing the conversation) should be made to the recipient of the misdirected fax requesting that the entire content of the misdirected fax be destroyed. If the recipient cannot be reached by phone, a fax using the Letter for Misdirected Fax should be sent to the recipient requesting that the entire content of the misdirected fax be destroyed.
  • The fax confirmation sheet or activity report should be sent along with the Misdirected Fax Cover Letter to MRD. It is the responsibility of the department sending the misdirected fax to forward this information to MRD.
  • Misdirected faxes will be recorded in the Accounting of Disclosure Database by MRD. (Accounting for Disclosure)

Receipt of Faxes Containing PHI:

  • Fax machines used for patient care or patient related services shall not be located in areas accessible to the general public but rather must be in secure areas, and the department director or designee is responsible for limiting access to them.
  • Each department is responsible for ensuring that incoming faxes are properly handled.
  • When receiving faxed PHI:
    • Immediately remove the fax transmission from the fax machine and deliver it to the recipient.
    • Manage PHI received via fax as confidential in accordance with policy.
    • Destroy or follow sender’s instructions for patient information faxed in error and immediately inform the sender.

Enforcement: All supervisors are responsible for enforcing this policy. Individuals who violate this policy are subject will be subject to the disciplinary process for faculty, staff, students, or volunteers.