smartphone Send faxes on iPhone — Download Faxend
Download
Security · 8 min read

HIPAA Fax Compliance Guide for Healthcare Providers

Faxing protected health information is still legal under HIPAA, but only when you follow specific technical and administrative safeguards. This guide explains every rule that applies to fax transmissions, and what happens when providers skip them.

F

Faxley

Faxend Editorial · Updated April 24, 2026

Does HIPAA allow faxing PHI?

Yes. The U.S. Department of Health and Human Services has never banned fax as a transmission method for protected health information (PHI). HIPAA is technology-neutral. It sets standards for how you protect data, not which medium you use.

That said, the rules are strict. A fax sent to the wrong number, stored on an unencrypted server, or sent through a vendor without a signed Business Associate Agreement can trigger a reportable breach. The medium is allowed. The carelessness is not.

Providers who understand this distinction are far better positioned to stay compliant without abandoning a communication channel that much of the healthcare industry still depends on daily.

Required safeguards for fax transmissions

HIPAA's Security Rule divides safeguards into three categories: administrative, physical, and technical. All three apply to fax workflows.

Administrative safeguards

Your organization must have written fax policies. Those policies should define who is authorized to send PHI by fax, how staff verify recipient numbers before sending, and what to do when a misdirected fax is discovered.

Training matters too. Every employee who touches a fax machine or online fax account must understand the rules. The HHS Security Rule guidance specifically requires covered entities to implement a security awareness and training program.

Physical safeguards

Traditional fax machines must sit in areas where unauthorized people cannot read incoming pages. A fax machine in an open waiting room is a compliance problem. So is one in a hallway where patients walk through.

Online fax eliminates the physical machine problem, but you still need to control who can log into the account and view received documents.

Technical safeguards

When fax travels over the internet, encryption is non-negotiable. Look for AES-256 encryption both in transit and at rest. That is the same standard banks use. Anything weaker leaves PHI exposed during transmission.

Access controls are equally important. The fax service must support unique user credentials, not a shared login that anyone in the office uses.

Why you need a Business Associate Agreement

A Business Associate Agreement (BAA) is a written contract between a covered entity and any vendor that handles PHI on its behalf. If you send patient records through an online fax service, that service is a business associate.

Without a signed BAA, you are in violation. Full stop. The Office for Civil Rights has levied fines specifically because covered entities used vendors without executing a BAA first.

When evaluating any fax service, ask directly whether they will sign a BAA. Some providers offer HIPAA features but decline to sign a BAA, which makes those features legally useless for healthcare providers.

Faxend offers a Business Associate Agreement on all plans, including the Basic tier. That is uncommon in the online fax market, where BAA access is often gated behind enterprise pricing. You can review Faxend's pricing to see which plan fits your volume.

Ready to send your fax?

Upload your document, enter the number, and hit send. No subscription required for your first fax.

Send Fax Now →Download on iPhone

Online fax vs. traditional fax machines

Traditional analog fax machines transmit data over the public switched telephone network. The signal is not encrypted. Anyone with physical access to the phone line can intercept it. That is a real risk, even if it rarely makes headlines.

Online fax services that use the T.38 protocol over encrypted channels are significantly more secure. The document never travels as an unprotected analog signal. It moves as encrypted data from sender to recipient.

Online fax also solves the physical safeguard problem. There is no paper sitting in a tray. Documents land in a secure inbox, accessible only to credentialed users. Audit logs track who viewed what and when, which is exactly what HIPAA's accountability requirements demand.

For providers who want to send faxes from mobile devices, the Faxend iPhone app supports encrypted transmission with the same security standards as the web platform. That matters for physicians who work across multiple locations.

Traditional machines do have one advantage: familiarity. Staff who have used them for years need no retraining on the physical act of faxing. But compliance risk, cost of paper and toner, and lack of audit trails make them a harder choice to justify in 2025.

Common HIPAA fax violations and how to avoid them

Most fax-related HIPAA violations fall into a small number of patterns. Knowing them makes them preventable.

  • Misdirected faxes. Sending PHI to the wrong number is the most common fax breach. Require staff to verify recipient numbers against a confirmed directory before every send. Never rely on memory alone.
  • No cover sheet. Every fax containing PHI should include a cover sheet with a confidentiality notice. This does not prevent a misdirected fax from being a breach, but it is a required administrative practice under most HIPAA policies.
  • Unsecured storage. Received faxes stored as unencrypted files on a shared drive violate the technical safeguard requirements. Use a service that encrypts stored documents.
  • Shared credentials. A single login used by an entire department makes audit trails meaningless. Each user needs their own account.
  • No BAA with the fax vendor. As covered above, this is a standalone violation regardless of how careful you are otherwise.
  • Retaining faxes longer than necessary. Your retention policy must apply to faxed documents. If your policy says records are destroyed after seven years, that includes fax archives.

A written fax policy that addresses each of these points is a reasonable starting place. Review it annually and after any incident.

Choosing a HIPAA-compliant fax service

Not every service that claims HIPAA compliance actually delivers it. Here is what to verify before signing up.

Feature Why it matters Faxend
AES-256 encryption (transit + rest) Protects PHI during send and storage Yes, all plans
Business Associate Agreement Required by HIPAA for any vendor handling PHI Yes, all plans
Audit logs Supports accountability and breach investigation Yes, Standard and Pro
Dedicated inbound number Ensures PHI goes only to your account Pro plan
No account required option Useful for occasional senders who still need compliance Basic plan ($2.99)
HIPAA on every pricing tier Most competitors restrict HIPAA to expensive plans Yes

Many competing services restrict HIPAA features to their highest-tier plans. Faxend includes encryption and BAA availability starting at the $2.99 Basic plan. For a provider who only needs to fax occasionally, that is a meaningful cost difference.

For higher-volume practices, the Standard plan at $9.99 per month includes fax history and 20 pages. The Pro plan at $19.99 per month adds unlimited pages and a dedicated inbound fax number, which is important for any practice that receives referrals or lab results by fax regularly.

You can send your first fax directly from faxend.com/send without creating an account, which is useful for testing before committing to a monthly plan.

Quick compliance checklist

Use this before your next fax transmission containing PHI.

  1. Confirm the recipient fax number against a verified directory.
  2. Attach a cover sheet with a confidentiality notice.
  3. Verify your fax service uses AES-256 encryption in transit and at rest.
  4. Confirm a signed BAA is in place with your fax vendor.
  5. Ensure each user has individual credentials, not a shared login.
  6. Check that received faxes are stored in an encrypted inbox, not a shared folder.
  7. Review your retention schedule and confirm it covers fax archives.

Running through this list takes about 60 seconds. It is far faster than responding to a breach investigation.

For practices that send faxes from mobile devices, the best iPhone fax apps guide covers which apps meet security standards worth considering. And if your practice is evaluating whether to receive faxes online rather than on a physical machine, the guide to receiving faxes online walks through the setup process.

HIPAA compliance is not a one-time checkbox. Its an ongoing practice. But with the right fax service and a clear internal policy, the fax channel can remain both useful and fully compliant.

This post was written by Faxley, Faxend's editorial voice on document workflow and digital communication security.

Frequently asked questions

Is faxing PHI allowed under HIPAA?

Yes. HIPAA does not prohibit fax as a transmission method. It requires that any method used to send PHI meets the Security Rule's administrative, physical, and technical safeguard requirements. A fax service with AES-256 encryption and a signed BAA satisfies those requirements.

Do I need a Business Associate Agreement with my fax service?

Yes, if that service handles PHI on your behalf. Any online fax provider that stores or transmits patient information qualifies as a business associate under HIPAA. Operating without a signed BAA is a standalone violation, regardless of other safeguards in place.

What happens if a fax containing PHI is sent to the wrong number?

A misdirected fax is typically a reportable breach under HIPAA's Breach Notification Rule. You must assess the incident, notify affected patients, and in many cases report to HHS. Verifying recipient numbers before every send is the simplest way to prevent this.

Are traditional fax machines HIPAA-compliant?

They can be, but they present real challenges. Analog fax signals are not encrypted, physical paper sits in open trays, and there are no digital audit logs. Online fax services address all three of those issues and are generally easier to make compliant.

Does Faxend sign a Business Associate Agreement?

Yes. Faxend offers a BAA on all plans, including the $2.99 Basic plan. Most competing services restrict BAA access to higher-tier subscriptions, so this is a meaningful difference for smaller practices or occasional senders.

How long must faxed PHI records be retained?

HIPAA requires covered entities to retain medical records according to state law, which varies but is often six to ten years. Your fax archive falls under the same retention schedule as other PHI records. Confirm your fax service supports compliant deletion when records reach the end of their retention period.

Send your first fax in 60 seconds

No fax machine. No subscription required. Pay $2.99 for up to 5 pages and own your sending without monthly lock-in.

See Pricing arrow_forward Download Faxend
F

About Faxley

Faxley is a digital communication specialist with 10+ years of experience in document workflow and compliance. He covers fax technology, HIPAA compliance, and mobile productivity for Faxend. Published by Obzena LLC. Have feedback on this guide? Let us know.

You might also like