smartphone HIPAA-compliant fax, Download Faxend
Download
update Last updated:

HIPAA-compliant fax app, secure online fax for PHI

A HIPAA-compliant fax app must encrypt Protected Health Information (PHI) in transit and at rest, restrict access via authentication, log all transmissions for audit, and offer a Business Associate Agreement (BAA) when required. Faxend uses TLS 1.3 encryption, T.38 secure fax protocol, and provides BAAs on request for covered entities and business associates.

check_circle TLS 1.3 + T.38 secure check_circle BAA available on request check_circle Audit log for every fax
Send HIPAA-compliant fax now arrow_forward
F

Reviewed by Faxend Editorial Team

Verified against IRS.gov · View sources

What makes a fax app HIPAA-compliant

Under the HIPAA Security Rule (45 CFR Part 164, Subpart C), an electronic system handling PHI must implement administrative, physical, and technical safeguards. For an online fax app specifically:

  • Encryption in transit: Documents uploaded over TLS 1.2+ (TLS 1.3 preferred), and fax transmission via T.38 secure protocol or equivalent encrypted backbone.
  • Encryption at rest: Any temporary document storage must be encrypted with AES-256 or equivalent.
  • Access controls: Authentication required to view sent/received faxes; role-based access for team accounts.
  • Audit logging: Every transmission, login, and access event recorded with timestamp, user, and IP, retained for at least 6 years.
  • Workforce training: Staff handling PHI receive HIPAA training; access provisioned on least-privilege basis.
  • Incident response: Documented breach notification procedures meeting 60-day reporting requirements.
  • Business Associate Agreement: When the fax service handles PHI on behalf of a covered entity, a signed BAA is required by HIPAA.

Why fax is still everywhere in healthcare

Despite the push toward EHRs and Direct messaging, fax remains entrenched in healthcare because:

  • Most legacy hospital and clinic systems include built-in fax interfaces, easier than connecting two EHRs.
  • Fax has explicit safe-harbor language in HIPAA, the modality is acceptable when implemented with appropriate safeguards.
  • Cross-organization compatibility: hospital A's EHR can't always talk to hospital B's, but every healthcare org has fax.
  • Pharmacies, imaging centers, and specialists frequently default to fax for orders and results.
  • Insurance prior authorizations and claims often arrive only via fax.

Skip the in-office fax line

Faxend provides HIPAA-compliant infrastructure with optional BAA for covered entities. Send PHI securely from anywhere.

Send Fax Now → Download iOS

Business Associate Agreements (BAAs) explained

HIPAA requires a Business Associate Agreement (BAA) any time a covered entity (provider, health plan, clearinghouse) shares PHI with a third-party service provider. The BAA legally obligates the third party to:

  • Use and disclose PHI only as permitted by the BAA
  • Implement appropriate safeguards
  • Report any breach to the covered entity within agreed timeframes (typically 60 days under HIPAA)
  • Ensure subcontractors with PHI access also sign BAAs
  • Return or destroy PHI when the relationship ends

Without a BAA, sharing PHI with a third-party service is itself a HIPAA violation, regardless of how secure that service's technology is. Patients sending their own personal medical records do not need a BAA, BAA is required only when a covered entity is involved.

How Faxend supports HIPAA compliance

SafeguardFaxend implementation
Encryption in transitTLS 1.3 for upload, T.38 secure fax protocol via Sinch infrastructure
Encryption at restDocuments not retained beyond transmission; temporary storage encrypted
Access controlFirebase Authentication, optional 2FA, session-based authorization
Audit loggingEvery fax logged with timestamp, recipient, page count, status, transmission ID
BAAAvailable on request for covered entities and business associates, contact support
Data retentionFax content not stored after transmission; metadata retained per audit requirements

⚠️ Important: HIPAA-compliant infrastructure does not automatically make every transmission HIPAA-compliant. Compliance also depends on your workflows: who has access, how recipients are verified, what data is shared, and whether a BAA is in place. If you are a covered entity, request a BAA before sending PHI.

Common HIPAA fax use cases

HIPAA fax violations to avoid

Wrong recipient. Misdialed faxes are the most common HIPAA fax violation. Always verify the destination number, and use a confirmation page (with no PHI on it) for the first fax to a new number.

No cover sheet with required language. A HIPAA-compliant fax cover sheet should include: addressee, sender, confidentiality notice, and instructions to the unintended recipient. The HHS suggests language like "If you have received this fax in error, please notify the sender immediately and destroy this transmission."

Faxing to a shared device. The HIPAA Security Rule expects PHI faxes go to a fax machine (or inbox) accessible only to authorized personnel. Faxing to a shared front-desk fax requires additional verification.

Storing fax confirmations with PHI. Fax confirmation pages should not include patient identifiers in the screenshot or log. Faxend's confirmations show fax ID and recipient number, no PHI.

Using an online fax service without a BAA. If you are a covered entity and the service handles PHI, a BAA is mandatory. Free or consumer-grade fax apps generally do not offer BAAs.

Sources

Frequently asked questions

Is online fax HIPAA-compliant?
Online fax can be HIPAA-compliant when the service implements required technical safeguards (encryption in transit and at rest, access controls, audit logs) and signs a Business Associate Agreement with the covered entity. The technology alone is not enough, proper workflows and a BAA are required.
Does Faxend offer a BAA?
Yes. Business Associate Agreements are available on request for covered entities and business associates handling PHI. Contact support to initiate a BAA. Individual users sending their own personal medical records do not need a BAA.
Is faxing PHI safer than email?
Faxing PHI is generally considered safer than standard email because fax transmission is point-to-point and HIPAA explicitly addresses fax safeguards. Encrypted email (using S/MIME or TLS-secured Direct messaging) can also be HIPAA-compliant. Both require proper workflows.
What encryption does Faxend use?
Faxend uses TLS 1.3 for document upload, T.38 secure fax protocol via Sinch infrastructure for transmission, and AES-256 for any temporary storage. All connections are encrypted end-to-end during the transmission process.
Does Faxend store my faxes?
Faxend does not retain fax content after successful transmission. Metadata (transmission ID, timestamp, recipient number, page count, success status) is logged for audit purposes, required by HIPAA, but the document content itself is not stored.
Can patients fax their own medical records via Faxend?
Yes. Patients sending their own personal medical records do not need a BAA, HIPAA's BAA requirement applies to covered entities sharing PHI with third parties. Patient self-faxing is fully permitted under HIPAA.
What happens if I fax PHI to the wrong number?
Misdialed PHI faxes are HIPAA breaches. Notify the affected patient(s), document the incident, and notify HHS Office for Civil Rights (OCR) if more than 500 individuals are affected within 60 days. For under 500, document internally and report annually. Always verify destination numbers before sending.
Is fax better than EHR-to-EHR Direct messaging?
Direct messaging (a HIPAA-compliant secure messaging standard) is generally preferred when both organizations support it. Fax remains the lowest common denominator, works between organizations using different EHRs or no EHR. Many clinics use both depending on the recipient's capability.
Are HIPAA fax confirmations required?
HIPAA does not mandate a specific confirmation format, but transmission verification is implicitly required as part of audit logging. Faxend automatically generates a confirmation page with transmission ID, timestamp, recipient number, page count, and success status, sufficient for audit purposes.
What should a HIPAA fax cover sheet include?
A HIPAA-compliant cover sheet should include: addressee (recipient name and organization), sender info, date and time, total page count, a confidentiality notice (e.g., 'This fax may contain protected health information...'), and instructions for unintended recipients to destroy and notify the sender.
Can I use Faxend on a personal phone for work PHI?
Yes, if your organization's workflow allows it and a BAA is in place. The Faxend mobile app uses the same encryption and audit logging as the web version. Use a screen lock and biometric authentication on your device, and avoid storing fax content in personal cloud accounts.
What's the difference between HIPAA-compliant and HIPAA-certified?
There is no official 'HIPAA certification' issued by HHS or any government body. Vendors who claim HIPAA certification typically mean they self-attest to compliance or have completed a third-party audit (like SOC 2 or HITRUST). The legal requirement is implementing the safeguards in the Security Rule and signing BAAs, not certification.

Send PHI securely in 60 seconds

TLS 1.3 encryption, T.38 secure transmission, audit logs. Pay $2.99 per fax, no subscription. BAA available on request for covered entities.

Send Fax Now arrow_forward Download Faxend

Related guides

Fax medical records

Send patient records securely between providers, payers, or to patients.

Fax app for medical clinics

High-volume clinic faxing with team accounts and audit trails.
Send fax →