ExtraFax Cloud is compliant with some of the strictest security policies available - HIPAA and PCI DSS.
There are a number of ways customers can enhance security when sending faxes through ExtraFax Cloud, whether for HIPAA, PCI DSS or other purposes.
PCI DSS compliance
Some customers, such as banks, credit card companies, hotels and more, are required to follow PCI guidelines within their communications, as they transmit credit card data. Customers who require additional security on their account, regardless of the content in their faxes, can use ExtraFax Cloud's PCI compliant service.
To use our PCI-compliant service requires your users to be migrated to a different sub-system at ExtraFax Cloud.
In order to enable PCI compliance for a user, please contact us, providing the user name(s) of the users you would like to migrate, and request that we change your user(s) to our PCI compliant service.
Once our support team apply the changes, you will need to do the following;
- Stop using email-to-fax;
Sending credit card data via email is not PCI compliant and you will not be able to use this feature with a PCI user in ExtraFax Cloud.
Integrate the PCI endpoint;
If you are currently using the ExtraFax Cloud API, you will need to change the API endpoint to the separate endpoint for the PCI fax API.Please note: some of the method names in the PCI fax API are different from the regular API.
HIPAA and other types of compliance
Some users, such as US healthcare entities who are required to abide by HIPAA guidelines and financial institutions worldwide, have enhanced privacy requirements from messaging providers such as ExtraFax Cloud.
While ExtraFax Cloud does not fall into any of the HIPAA 'covered entity' categories, as a potential Business Associate we have implemented several privacy-enhancing features and procedures, and suggest that you apply the following measures;
- Use SSL or PKI to send your message;
We enable SSL-secured communication to our Web Service servers via https://ws.interfax.net and public-key encryption of email messages so that potentially patient-identifying information can be submitted securely for faxing.
Use the 'Delete fax after completion' feature;
This setting may be selected through your account sending preferences. It is intended to keep sensitive information on our servers no longer than is necessary to send a fax or to announce its failure (several minutes). When set, images of faxes sent through the service, as well as temporary files, will immediately be deleted from our servers upon completion.
Don't place patient-identifying, or otherwise confidential information into any data fields;
Make sure that confidential information is only present in the body of your outgoing fax. All other parts of a transaction are retained indefinitely for billing purposes, so don't insert confidential information anywhere except in the fax body itself.