HIPAA-Compliant Fax: What Healthcare Orgs Must Know

Fax never left healthcare. It predates email in clinical workflows, it is explicitly accepted under HIPAA, and it carries billions of pages of protected health information every year. The compliance question is not whether healthcare can fax — it can — but whether the fax infrastructure in use actually meets the Security Rule.

Why healthcare still faxes in 2026

Industry estimates put US healthcare fax volume at roughly nine billion pages per year. That number sounds archaic, but the reasons it persists are structural.

First, the HIPAA Security Rule does not prohibit fax. Traditional fax — point-to-point over the PSTN — was grandfathered into healthcare long before the Security Rule was finalized in 2003. Covered entities built EHR integrations, order workflows, referral processes, and prior-authorization pipelines around fax. Changing those workflows requires not just new software but negotiated changes with hospitals, insurers, and government payers that also fax.

Second, fax carries an implicit encryption assumption most staff understand intuitively: the document travels point-to-point, nobody intercepts it in transit. That model holds for traditional PSTN fax, which is why fax survived while unencrypted email did not become the PHI standard.

Third, CMS and most state Medicaid programs still accept — and sometimes require — fax for prior authorizations, lab referrals, prescription transfers, and forms that were never digitized.

What HIPAA actually requires for electronic fax

The HIPAA Security Rule (45 CFR § 164.312) applies to electronic protected health information — ePHI — whether it is stored or transmitted. Traditional PSTN fax is technically analog at the endpoint and has historically received informal tolerance from OCR, but cloud fax and online fax services store and process ePHI digitally and fall squarely under the Security Rule.

That means any cloud or internet fax service handling PHI must implement the following required standards from § 164.312:

Access controls (§ 164.312(a)(1)) — only authorized users should be able to send or receive faxes containing PHI. Role-based access to fax inboxes, not a shared departmental login.

Audit controls (§ 164.312(b)) — the system must record who sent and received what, and when. Logs must be retained for a minimum of six years and must be tamper-evident.

Integrity (§ 164.312(c)(1)) — ePHI must not be altered or destroyed in unauthorized ways during storage or transmission. Immutable storage satisfies this.

Transmission security (§ 164.312(e)(1)) — ePHI must be guarded against unauthorized access during transmission. Encryption is the standard mechanism. While the Security Rule technically labels encryption as “addressable” rather than “required,” an addressable implementation standard means you must implement it or document a specific alternative rationale. For fax over the public internet, there is no credible alternative. AES-256 at rest and TLS 1.2+ in transit are the baseline.

The BAA requirement

Any cloud fax vendor that stores, processes, or transmits PHI on behalf of a covered entity is a business associate under HIPAA. Before routing a single fax containing PHI through a cloud fax platform, the covered entity must have a signed HIPAA BAA in place with that vendor.

Under 45 CFR § 164.308(b)(1), a valid BAA must establish that the business associate will:

• Use and disclose PHI only as permitted under the agreement and as required by law
• Implement appropriate administrative, physical, and technical safeguards for ePHI
• Report security incidents and breaches to the covered entity
• Ensure any downstream subcontractors also comply with HIPAA
• Return or destroy PHI at the termination of the agreement (or document why destruction is infeasible)

If a vendor declines to sign a BAA, using that vendor for PHI fax is not a gray area — it is a violation, regardless of marketing claims about “security” or “compliance.” The BAA is the legal instrument that transfers HIPAA obligations to the vendor. Some vendors only sign BAAs on enterprise tiers; confirm BAA availability before evaluating features.

T.38 vs G.711 fax over IP — why it matters for healthcare

When fax travels over an IP network — which it does for every online fax service — two transport protocols are in use: T.38 and G.711 passband.

T.38 is the ITU standard specifically designed for fax over IP. It uses a redundancy mechanism (UDPTL) that detects and corrects packet loss in real time. The fax session establishes at the native fax protocol layer with error correction built in.

G.711 passband transmits fax tones using a voice codec — essentially carrying the analog fax signal as if it were a phone call. G.711 has no fax-specific error correction. Packet loss on a G.711 fax session produces corrupted pages, dropped characters, or failed transmissions.

HIPAA does not name either protocol, but the compliance implication is practical: failed transmissions mean retransmissions — each one another window where PHI is in transit, another entry in the audit trail (or gap in it), often triggering manual resends by clinical staff. T.38 produces materially lower error rates than G.711 over the public internet. When evaluating vendors, confirm T.38 is the default transport, not an add-on that requires separate configuration.

Five questions to ask any fax vendor before signing

Compliance marketing language is ubiquitous. “Secure fax,” “enterprise-grade,” and “healthcare-ready” are not HIPAA compliance claims. These five questions cut through it:

1. Do you sign a BAA at this pricing tier? Get the answer in writing before the sales process advances. Request a sample BAA for legal review. Vendors committed to healthcare customers do not hesitate on this question.

2. Is PHI stored encrypted at rest using AES-256 (or equivalent)? Encryption at rest protects fax pages stored on the vendor’s servers — inbox images, sent confirmations, transmission logs. Ask where fax images are stored and whether encryption keys are customer-controlled or vendor-managed.

3. Do you support T.38 for fax transmission? As discussed above, T.38 reduces transmission errors and retransmits. Confirm T.38 is the default transport, not an enterprise add-on.

4. Do AI transcription or OCR features operate within BAA scope? Many modern fax platforms offer AI-powered features: OCR to make fax pages searchable, AI transcription to extract clinical data, smart routing that reads fax content to direct pages to the right inbox. These features process PHI. Confirm they operate within the BAA boundary — meaning the vendor’s AI pipeline is covered by the BAA, not routed through a third-party AI provider outside the agreement.

5. What is your breach notification SLA? HIPAA requires covered entities to notify affected individuals within 60 days of discovering a breach. Your vendor must notify you in time to meet that deadline. Ask for the contractual SLA in the BAA — 24 to 72 hours is the industry norm for initial notification.

HIPAA-compliant fax setup checklist

Once a vendor is selected, implementation needs to cover these items before routing PHI through the platform:

• BAA signed and filed — executed copy saved in your compliance documentation system, with an annual review date scheduled
• Encryption at rest confirmed — AES-256 or equivalent; verified in vendor’s security documentation or third-party audit report (SOC 2 Type II is a reliable proxy)
• TLS in transit confirmed — TLS 1.2 minimum for all fax transmissions and platform access
• T.38 enabled as default transport — not just listed as supported; confirmed as the active protocol on your account
• Access controls configured — individual user accounts (no shared logins), role-based inbox permissions so staff only access fax queues relevant to their role
• Audit logs enabled and exportable — verify logs capture sender, recipient, timestamp, and page count; confirm retention period meets 6-year HIPAA requirement
• Retention and deletion policy set — define how long fax pages are stored, when they are purged, and how secure deletion is confirmed; document this policy
• Staff training completed — at minimum, train staff on: what counts as PHI in a fax, why shared logins are prohibited, and how to report a misdirected fax
• Misdirected fax response procedure documented — fax sent to the wrong number is a potential breach; have a written procedure for assessing and reporting it
• Annual BAA review scheduled — review annually, especially after vendor product changes, acquisitions, or pricing tier changes that may affect coverage

Related

• DialPhone HIPAA compliance details
• DialPhone for healthcare
• Best online fax services compared
• HHS.gov — HIPAA Security Rule guidance

HIPAA-compliant fax is not technically complex. The hard part is choosing a vendor that signs a BAA, verifying the controls are active, and training staff so operational habits match the platform’s compliance posture. The Security Rule does not require perfection; it requires documented, reasonable safeguards. Get the BAA signed, configure access controls, enable audit logs, document your decisions.