Unlike the privacy rules, the HIPAA security rules do not apply to all PHI. Rather, the HIPAA security rules only apply to PHI that is in an electronic form. Electronic PHI includes individually identifiable health information that is transmitted by electronic media, maintained in electronic media or maintained in any other form or medium.
Definition of electronic media. Electronic media is defined by the security rules as:
1. electronic storage media including computer hard drives, and any removable/transportable digital memory medium such as magnetic tape or disk, or digital memory card; and
2. transmission media used to exchange information already in electronic storage media, for example extranet, leased lines, dial-up lines, private networks; and the physical movement of removable/transportable electronic storage media.
Certain transmissions, such as paper-to-paper faxes, person-to-person telephone calls, video teleconferencing and/or messages left on voice mail, do not constitute transmission by "electronic media" and, accordingly, are not subject to the HIPAA security rules.
Note that this exception for paper faxes applies even if the receiver of the transmission receives the fax via computer.
Source: 45 C.F.R. § 160.103; CCH Employee Benefits Management Directions, Issue No. 513, April 3, 2012.