RFax™ HIPAA Compliance

RFax™HIPAA Compliance Overview

This document is designed to provide a general overview of how Rival5 complies with current Health Insurance Portability and Accountability Act (HIPAA) requirements. Rival5 is not considered a “covered Entity” in regard to those requirements surrounding the handling of sensitive Patient Health Information (PHI). Per HIPAA definitions[1], Rival5 is considered a “Business Associate” of a covered entity and only needs to comply with requirements[2] related to the transport, storage, and destruction of digital PHI.

Transport or “Data in Motion.” With the exception of Email-to-fax, all RFax data/traffic on the Rival5 network is transported using secure HTTPS transmission that incorporates TLS[3] (versions 2 or 3); this includes data being transmitted via the fax API, Rival5 customer portal, viewmyfax.com portal, and Fax Enable ATA’s.

Storage or “Data at Rest.” All fax data that is sent or received on the Rival5 network is stored offsite in a Tier 3+ data center, operated by a partner, and secured using AES-256 encryption. Fax data will be kept up to a maximum of six (6) months then deleted.

Data Destruction. All deleted fax data, by the customer or Rival5, will be destroyed consistent with the National Institute of Standards and Technology (NIST) guidelines for media sanitization[4] such that the PHI cannot be retrieved.

Additional security considerations:

Customer Account Access. Rival5 will only discuss customer account information with authorized users.

Rival5 Administration Portal. The Rival5 administration portal is secured using HTTPS that incorporates the TLS protocol.

End User Fax Portal. The Rival5 RFax end-user portal is secured using HTTPS that incorporates the TLS protocol.

API. The Rival5 RFax API server is secured using HTTPS that incorporates the TLS protocol.