HIPAA-Compliant Fax

Fax never left healthcare. It predates email in clinical workflows, it is explicitly accepted under HIPAA, and it carries billions of pages of protected health information every year. The compliance question is not whether healthcare can fax, it can, but whether the fax infrastructure in use actually meets the Security Rule.

Why healthcare still faxes in 2026

Industry estimates put US healthcare fax volume at roughly nine billion pages per year. That number sounds archaic, but the reasons it persists are structural.

First, the HIPAA Security Rule does not prohibit fax. Traditional fax, point-to-point over the PSTN, was grandfathered into healthcare long before the Security Rule was finalized in 2003. Covered entities built EHR integrations, order workflows, referral processes, and prior-authorization pipelines around fax. Changing those workflows requires not just new software but negotiated changes with hospitals, insurers, and government payers that also fax.

Second, fax carries an implicit encryption assumption most staff understand intuitively: the document travels point-to-point, nobody intercepts it in transit. That model holds for traditional PSTN fax, which is why fax survived while unencrypted email did not become the PHI standard.

Third, CMS and most state Medicaid programs still accept, and sometimes require, fax for prior authorizations, lab referrals, prescription transfers, and forms that were never digitized.

What HIPAA actually requires for electronic fax

The HIPAA Security Rule (45 CFR § 164.312) applies to electronic protected health information, ePHI, whether it is stored or transmitted. Traditional PSTN fax is technically analog at the endpoint and has historically received informal tolerance from OCR, but cloud fax and online fax services store and process ePHI digitally and fall squarely under the Security Rule.

That means any cloud or internet fax service handling PHI must implement the following required standards from § 164.312:

Access controls (§ 164.312(a)(1)): only authorized users should be able to send or receive faxes containing PHI. Role-based access to fax inboxes, not a shared departmental login.

Audit controls (§ 164.312(b)): the system must record who sent and received what, and when. Logs must be retained for a minimum of six years and must be tamper-evident.

Integrity (§ 164.312(c)(1)): ePHI must not be altered or destroyed in unauthorized ways during storage or transmission. Immutable storage satisfies this.

Transmission security (§ 164.312(e)(1)): ePHI must be guarded against unauthorized access during transmission. Encryption is the standard mechanism. While the Security Rule technically labels encryption as “addressable” rather than “required,” an addressable implementation standard means you must implement it or document a specific alternative rationale. For fax over the public internet, there is no credible alternative. AES-256 at rest and TLS 1.2+ in transit are the baseline.

The BAA requirement

Any cloud fax vendor that stores, processes, or transmits PHI on behalf of a covered entity is a business associate under HIPAA. Before routing a single fax containing PHI through a cloud fax platform, the covered entity must have a signed HIPAA BAA in place with that vendor.

Under 45 CFR § 164.308(b)(1), a valid BAA must establish that the business associate will:

• Use and disclose PHI only as permitted under the agreement and as required by law
• Implement appropriate administrative, physical, and technical safeguards for ePHI
• Report security incidents and breaches to the covered entity
• Ensure any downstream subcontractors also comply with HIPAA
• Return or destroy PHI at the termination of the agreement (or document why destruction is infeasible)

If a vendor declines to sign a BAA, using that vendor for PHI fax is not a gray area, it is a violation, regardless of marketing claims about “security” or “compliance.” The BAA is the legal instrument that transfers HIPAA obligations to the vendor. Some vendors only sign BAAs on enterprise tiers; confirm BAA availability before evaluating features.

T.38 vs G.711 fax over IP: why it matters for healthcare

When fax travels over an IP network, which it does for every online fax service: two transport protocols are in use: T.38 and G.711 passband.

T.38 is the ITU standard specifically designed for fax over IP. It uses a redundancy mechanism (UDPTL) that detects and corrects packet loss in real time. The fax session establishes at the native fax protocol layer with error correction built in.

G.711 passband transmits fax tones using a voice codec, essentially carrying the analog fax signal as if it were a phone call. G.711 has no fax-specific error correction. Packet loss on a G.711 fax session produces corrupted pages, dropped characters, or failed transmissions.

HIPAA does not name either protocol, but the compliance implication is practical: failed transmissions mean retransmissions: each one another window where PHI is in transit, another entry in the audit trail (or gap in it), often triggering manual resends by clinical staff. T.38 produces materially lower error rates than G.711 over the public internet. When evaluating vendors, confirm T.38 is the default transport, not an add-on that requires separate configuration.

Five questions to ask any fax vendor before signing

Compliance marketing language is ubiquitous. “Secure fax,” “enterprise-grade,” and “healthcare-ready” are not HIPAA compliance claims. These five questions cut through it:

1. Do you sign a BAA at this pricing tier? Get the answer in writing before the sales process advances. Request a sample BAA for legal review. Vendors committed to healthcare customers do not hesitate on this question.

2. Is PHI stored encrypted at rest using AES-256 (or equivalent)? Encryption at rest protects fax pages stored on the vendor’s servers, inbox images, sent confirmations, transmission logs. Ask where fax images are stored and whether encryption keys are customer-controlled or vendor-managed.

3. Do you support T.38 for fax transmission? As discussed above, T.38 reduces transmission errors and retransmits. Confirm T.38 is the default transport, not an enterprise add-on.

4. Do AI transcription or OCR features operate within BAA scope? Many modern fax platforms offer AI-powered features: OCR to make fax pages searchable, AI transcription to extract clinical data, smart routing that reads fax content to direct pages to the right inbox. These features process PHI. Confirm they operate within the BAA boundary, meaning the vendor’s AI pipeline is covered by the BAA, not routed through a third-party AI provider outside the agreement.

5. What is your breach notification SLA? HIPAA requires covered entities to notify affected individuals within 60 days of discovering a breach. Your vendor must notify you in time to meet that deadline. Ask for the contractual SLA in the BAA, 24 to 72 hours is the industry norm for initial notification.

HIPAA-compliant fax setup checklist

Once a vendor is selected, implementation needs to cover these items before routing PHI through the platform:

• BAA signed and filed: executed copy saved in your compliance documentation system, with an annual review date scheduled
• Encryption at rest confirmed: AES-256 or equivalent; verified in vendor’s security documentation or third-party audit report (SOC 2 Type II is a reliable proxy)
• TLS in transit confirmed: TLS 1.2 minimum for all fax transmissions and platform access
• T.38 enabled as default transport: not just listed as supported; confirmed as the active protocol on your account
• Access controls configured: individual user accounts (no shared logins), role-based inbox permissions so staff only access fax queues relevant to their role
• Audit logs enabled and exportable: verify logs capture sender, recipient, timestamp, and page count; confirm retention period meets 6-year HIPAA requirement
• Retention and deletion policy set: define how long fax pages are stored, when they are purged, and how secure deletion is confirmed; document this policy
• Staff training completed: at minimum, train staff on: what counts as PHI in a fax, why shared logins are prohibited, and how to report a misdirected fax
• Misdirected fax response procedure documented: fax sent to the wrong number is a potential breach; have a written procedure for assessing and reporting it
• Annual BAA review scheduled: review annually, especially after vendor product changes, acquisitions, or pricing tier changes that may affect coverage

Traditional Fax vs Cloud Fax: HIPAA Compliance Comparison

Healthcare organizations choosing between traditional PSTN fax and cloud fax face different compliance profiles for each.

Dimension	Traditional PSTN Fax	Cloud / Internet Fax
Transmission path	Analog, point-to-point over PSTN	IP network (internet or private WAN)
Encryption in transit	None (analog signal)	TLS 1.2+ required
Encryption at rest	Not applicable (no storage layer)	AES-256 required for stored fax pages
BAA requirement	Not required (not a cloud service)	Required — vendor is a business associate
Audit logs	None natively	Sender, recipient, timestamp, page count — 6-year retention
Access controls	Physical machine access only	Role-based user accounts with inbox permissions
Transmission error rate	High on poor PSTN lines	Lower with T.38; higher with G.711 passband
Annual cost (typical clinic)	$800–$2,400 (hardware + line fees)	$300–$1,200 (cloud subscription)
Remote access	Physical machine only	Web portal, mobile app, API
Integration with EHR	Manual only	API or HL7 routing possible

The bottom line: cloud fax is cheaper and more auditable, but it creates new HIPAA obligations (BAA, encryption, audit logs) that traditional PSTN fax did not. Most covered entities already use cloud fax and need to verify the compliance controls are active — not just marketed.

7 HIPAA Violations to Avoid When Faxing PHI

These are the most common fax-related HIPAA enforcement patterns based on HHS breach notification reports:

1. No BAA with the cloud fax vendor. The single most common error. Using any cloud fax platform for PHI without a signed BAA in place is a violation on day one, regardless of what the vendor’s website says about security.

2. Shared departmental logins. HIPAA access controls require individual user accounts so that audit logs identify the person, not the department. A shared “radiology@” login defeats the audit trail.

3. Sending to the wrong number without a response procedure. A misdirected fax is a reportable breach if PHI is exposed to an unauthorized person. Not having a written response procedure compounds the violation.

4. G.711 fax without T.38 enabled. Transmission errors on G.711 create gaps in the audit trail and require retransmissions, each one another PHI-in-transit event. Confirm T.38 is active, not just listed as supported.

5. Audit logs not retained for six years. HIPAA requires six-year retention of audit documentation. Many cloud fax plans default to 30 or 90 days — check the retention setting explicitly.

6. AI/OCR features processing PHI outside the BAA. Modern platforms offer OCR and AI routing that reads fax content. If that AI pipeline routes through a third-party provider not covered by the BAA, it is an unauthorized disclosure.

7. No annual BAA review. A BAA signed three years ago may not cover the vendor’s current product (acquisitions, pricing tier changes, new subprocessors). HIPAA requires ongoing vendor management. Schedule an annual review date when you first execute the BAA.

How to Send a HIPAA-Compliant Fax: 6-Step Checklist

Follow this sequence for any fax containing PHI:

1. Verify the recipient fax number against the patient record or provider directory before dialing. Call the recipient’s office to confirm if the fax will contain highly sensitive PHI (HIV status, mental health, substance use).

2. Use a HIPAA-compliant cover sheet. The cover sheet must include: sender name, organization, phone, fax; recipient name, organization, fax; date and number of pages; and a confidentiality notice stating that the transmission contains PHI intended only for the named recipient and requiring the recipient to notify the sender and destroy the document if received in error.

3. Log the fax before sending. Record intended recipient, fax number, page count, and the clinical purpose in your transmission log.

4. Confirm transmission receipt. Obtain a machine-generated transmission confirmation (T.38 delivery receipt or cloud platform confirmation) and attach it to the log entry.

5. Monitor for misdirected fax notification. If the recipient calls to report receiving a fax not intended for them, activate your misdirected fax response procedure immediately (assess breach status, notify impacted party, log the incident).

6. Archive the transmission log. Retain sender, recipient, timestamp, page count, and delivery confirmation for six years minimum.

HIPAA Fax Use Cases by Healthcare Specialty

Different specialties rely on fax for different workflows, each with its own compliance considerations.

Radiology. Large-volume referral faxes with imaging orders and prior authorizations. Cloud fax with EHR integration reduces manual re-entry errors. Volume typically justifies T.38 verification because failed radiology order faxes cause appointment delays.

Pharmacy. Prescription transfers and controlled substance documentation carry DEA requirements on top of HIPAA. Confirm the cloud fax platform is approved for electronic prescriptions for controlled substances (EPCS) workflows if applicable.

Specialist referrals. Clinical summaries and insurance pre-authorization forms. The “minimum necessary” standard under 45 CFR § 164.502(b) applies: fax only the PHI required for the referral, not the patient’s complete record. Many practices fax entire chart packets when only the past two visits are clinically relevant.

Insurance claims and prior authorizations. High-volume, often automated. Batch fax workflows must apply the same BAA and encryption controls as individual faxes. Automated fax systems that extract patient data from the EHR to populate claim forms are processing ePHI and require explicit BAA coverage.

Patient record requests. Patients have a right under HIPAA to request records. Faxing records to a patient requires verifying the patient’s identity and their authorized fax number — a confirmed-number-only policy reduces misdirected-fax risk.

Frequently asked questions

Does HIPAA require a Business Associate Agreement for cloud fax? +

Yes. Any cloud fax vendor that stores, processes, or transmits protected health information on behalf of a covered entity is a business associate under HIPAA. A signed BAA must be in place before routing any PHI through the platform. Using a cloud fax vendor without a BAA is a HIPAA violation regardless of the vendor's security marketing claims. Some vendors only sign BAAs on enterprise pricing tiers — confirm BAA availability before evaluating features.

What encryption does HIPAA-compliant fax require? +

HIPAA's Security Rule requires transmission security under 45 CFR §164.312(e)(1). For cloud fax, the baseline is AES-256 encryption at rest for stored fax pages and TLS 1.2 or higher in transit for all transmissions and platform access. Although HIPAA labels encryption as 'addressable' rather than 'required,' there is no credible alternative for fax over the public internet, so encryption is effectively mandatory in practice.

What is T.38 and why does it matter for HIPAA-compliant fax? +

T.38 is the ITU standard designed specifically for fax over IP networks. It uses a redundancy mechanism that detects and corrects packet loss in real time, resulting in materially lower error rates than G.711 passband fax. Failed transmissions require retransmissions, each creating additional compliance risk and audit trail gaps. Confirm that T.38 is the default transport on your account, not an enterprise-only add-on requiring separate configuration.

How long must healthcare organizations retain fax records under HIPAA? +

HIPAA's Security Rule requires covered entities to retain documentation of policies and procedures, including records of information system activity, for a minimum of six years from the date of creation or last effective date. For fax systems, audit logs capturing sender, recipient, timestamp, and page count must meet this six-year retention minimum. Configure your fax platform's retention policy explicitly and document the policy in your compliance records.

What should a HIPAA-compliant fax setup checklist include? +

A complete setup checklist covers: BAA signed and filed with an annual review date scheduled; AES-256 encryption at rest confirmed in the vendor's SOC 2 Type II report; TLS 1.2 minimum for all transmissions; T.38 enabled as the default transport; individual user accounts with role-based inbox permissions; audit logs enabled and exportable with six-year retention; a documented retention and deletion policy; staff training on PHI handling and misdirected fax procedures; and a written misdirected fax response procedure.

Related

• DialPhone HIPAA compliance details
• DialPhone for healthcare
• Best online fax services compared
• HHS.gov, HIPAA Security Rule guidance

HIPAA-compliant fax is not technically complex. The hard part is choosing a vendor that signs a BAA, verifying the controls are active, and training staff so operational habits match the platform’s compliance posture. The Security Rule does not require perfection; it requires documented, reasonable safeguards. Get the BAA signed, configure access controls, enable audit logs, document your decisions.

Related guides

• 10DLC Registration Guide
• AI Contact Center Pricing 2026
• AI Receptionist After Hours
• AI Receptionist Appointment Booking
• AI Receptionist Cost in 2026
• online fax
• DialPhone pricing

How We Tested

DialPhone re-verifies every comparison in this guide every 90 days. We pull pricing directly from each vendor’s public pricing page on the dates listed in the frontmatter (lastVerifiedAt or updatedAt). Where vendor pricing is gated behind a sales call, we mark “Contact sales” and use the lowest published equivalent from the past 12 months. Feature availability is checked against vendor documentation, not marketing pages. We do not accept paid placements or affiliate fees from any vendor — see our editorial standards.

What We Don’t Like

No platform is perfect, including DialPhone. Honest drawbacks based on user feedback and our own testing:

• Smaller integration catalog than RingCentral (~40 vs 200+). Niche vertical CRM integrations may require API work.
• Newer brand awareness. RingCentral and 8x8 have 15+ years of analyst coverage. Enterprise procurement reviews may take longer.
• Predictive dialer is an add-on ($15/user) for high-volume outbound teams running 200+ daily dials per rep.
• HIPAA BAA starts on Advanced tier ($34/user), not the $24 Core plan. Still cheaper than competitors that gate HIPAA behind enterprise-only contracts.