I believe the primary concern has been while the message is in transit, unencrypted routing over the internet vs. unencrypted over the phone line.
Note that there is a HIPAA approved email service called Direct, as in Direct Messaging / Direct Exchange / Direct Connect.
If everyone had a fax machine such that you'd commonly get a working fax receiver if you mis-entered the recipient's number, then #1 wouldn't be such a big deal. But in reality, if you enter a fax number, and the other end actually answers and responds with a screech, it's extremely likely that you're connected to the right party. (Also, I bet 99% of modern faxing is triggered by a nearby computer, or by pressing one of the preprogrammed speed dial buttons on the fax. There aren't that many opportunities to misdial the number in the first place.)
That second is also a big deal. There are no intermediate servers which may be caching and inappropriately storing the data, except maybe the NSA, but what can ya do. The sender may have a cache, in the form of a print spooler. The receiver may have a cache where it temporarily stores inbound faxes and prints them asynchronously. But since both of those devices are owned and controlled by the parties in the communication, that's not a legal issue.
I'm not advocating for faxes. They're a slow, clunky, lossy, pain in the ass. And yet, they do have specific properties that are pretty sweet. I guess the equivalent would be if I could ask you to send a PDF to my specific IPv6 address, and you could peer-to-peer shoot it directly to me. If I typoed the address at all, it's statistically "unlikely" that another person would be listening on that specific IP a that specific time. And if it were truly P2P, then you and I would be the only 2 who ever touched the file, except maybe the NSA, but what can ya do. Alas, I don't see that replacing fax machines any time soon.
That's not exactly complicated if either party owns a web server. Which - last I checked - the government has.
Just give the person who needs to send the sensitive documents a short link like uploaddocuments.gov, have that page ask for some basic identifying info, and have a box for the user to drag and drop a file. At which point the browser will p2p upload that file over HTTPS.
I don’t love faxes. This isn’t me saying we should keep them forever. We shouldn’t. Still, there are reasons they’re still widely used for medical stuff today. If CMS or HHS rolled out a new method and told doctor’s offices to start using it if they want to get paid, the industry would switch in a heartbeat. Short of that, any other alternative will take approximately forever.
Doesn’t that only apply to covered entities, which the internet is telling me does not include the Social Security Administration.
This is an indictment of email more than anything.
Fun fact, traditionally, police officers are called upon to use their discretion over blind enforcement. The mechanized enforcement of law, historically, has never done any favors for society.
“Hello sir, before we get started, for security measures, please provide this information about your account”
Hmm I dont have this on hand, let me log in to my account and look at the settings and read it verbatim back to you, proving I’m not compromising this user at all
“Thank you, sir!”