Is Faxing HIPAA Compliant? What Practices Need to Know (2026)

Traditional analog faxing — landline to landline, over the public switched telephone network — is generally considered HIPAA compliant. HIPAA was signed into law in 1996, when fax machines were a primary method of transmitting medical records between providers, insurers, and pharmacies. The Privacy Rule permits faxing PHI as long as reasonable safeguards are in place. HHS has explicitly acknowledged fax as an acceptable transmission method for protected health information.

But that answer only covers traditional fax. Online fax services, cloud fax platforms, and email-to-fax gateways are not the same thing. They route data over the internet, store documents on third-party servers, and introduce compliance requirements that most practices either do not know about or assume are already handled. They are not.

Why Traditional Fax Gets a Pass That Email Does Not

The distinction comes down to how the data travels.

Fax uses the PSTN (Public Switched Telephone Network). A traditional fax machine converts a document into audio tones and transmits them over a dedicated telephone circuit. The connection is point-to-point — from one phone line to another. Intercepting a fax transmission requires physically tapping the telephone line, which is far more difficult and far less scalable than intercepting email traffic.

Email travels over the open internet. An email passes through multiple servers, ISPs, and routing nodes between sender and recipient. At each hop, the message can be intercepted, logged, or stored. Without end-to-end encryption, email content is readable by any system that handles it in transit. TLS protects the connection between servers, but not the message itself once it reaches the destination.

This is why HHS treats fax and email differently. The transmission medium matters. Fax over PSTN carries inherently lower interception risk than email over the public internet.

That said, faxing is not risk-free. The compliance obligation does not disappear just because the transmission method is acceptable. The risks shift from interception to handling — misdials, unattended machines, missing logs, and lack of confirmation protocols. Those operational failures are where fax-related HIPAA violations actually occur.

Safeguards Required for HIPAA-Compliant Faxing

The HIPAA Security Rule requires reasonable safeguards for any method of transmitting PHI. For traditional fax, that means:

Verify the recipient fax number before sending. Misdials are the single most common cause of fax-related breaches. Sending a patient record to the wrong number is an unauthorized disclosure of PHI. Double-check the number. Every time.

Use a cover sheet with a confidentiality notice. Every fax containing PHI should include a cover page stating that the document contains confidential health information, is intended only for the named recipient, and should be destroyed if received in error. This does not prevent a breach, but it establishes that you took reasonable steps to protect the information.

Place fax machines in secure, non-public areas. A fax machine in a waiting room, shared hallway, or open reception desk is an access control failure. Incoming faxes containing PHI are visible to anyone who walks by. The machine should be in a staff-only area with restricted access.

Retrieve faxes promptly. PHI sitting in a fax tray is unattended PHI. Establish a workflow for checking the fax machine at regular intervals and retrieving documents immediately upon receipt.

Log all fax transmissions. Maintain a log that records the date, time, sender, recipient fax number, number of pages, and a description of the content. This log supports your audit trail and demonstrates compliance during an OCR investigation.

Pre-program frequently used numbers. Speed-dial entries for referring providers, labs, pharmacies, and insurers reduce the risk of misdials. Program them once, verify them, and use them consistently.

Confirm receipt of sensitive faxes. For high-sensitivity transmissions — mental health records, substance abuse records, HIV status — call the recipient to confirm the fax was received by the intended person. This is a reasonable safeguard that OCR expects.

Online Fax Services — Where Compliance Gets Complicated

Services like eFax, RingCentral Fax, HelloFax, and Fax.Plus market themselves as modern replacements for physical fax machines. They are convenient, and many practices have adopted them without considering the compliance implications.

The critical difference: online fax services do not use the PSTN for transmission. They convert documents into digital files, route them over the internet, and deliver them through web portals, email inboxes, or mobile apps. The data passes through the service provider's servers, is stored on their infrastructure, and is accessible through their platform.

This means the fax service provider is a business associate under HIPAA. They are receiving, storing, and transmitting PHI on your behalf. The compliance requirements are substantial:

A signed BAA is mandatory. Before you send or receive a single fax containing PHI through an online fax service, you need a Business Associate Agreement with that provider. Not all online fax services will sign a BAA. If a service will not sign one, you cannot use it for PHI. Period.

Encryption in transit and at rest is required. The data is traveling over the internet, not the PSTN. It must be encrypted during transmission (TLS 1.2 or higher) and encrypted at rest on the provider's servers (AES-256 or equivalent).

Access controls and audit logging are required. The platform must support unique user credentials, role-based access, session timeouts, and audit logs that track who accessed which faxes and when.

Review the provider's data retention policy. Some online fax services store faxes on their servers indefinitely. Others retain them for 30, 60, or 90 days. You need to know where your PHI is stored, for how long, and what happens to it when the retention period ends. If the provider stores faxes indefinitely and you cancel your account, what happens to the PHI on their servers? If you cannot answer that question, you have a compliance gap.

Email-to-Fax Gateways — The Compliance Gap Practices Miss

Many practices send faxes by emailing a document to an address formatted as [faxnumber]@provider.com. The service receives the email, converts the attachment to fax format, and delivers it to the recipient's fax machine.

This workflow feels like faxing, but the first leg of the transmission is email. The document travels from your email server to the fax gateway's server over the internet, subject to all of the same interception risks as any other email. If your email is not encrypted, the "fax" you just sent was actually an unencrypted email with a fax delivery endpoint.

This creates a compliance exposure that most practices do not realize exists. They think they are faxing. They are emailing — with a fax step at the end. The email portion requires the same encryption, access control, and BAA requirements as any other email containing PHI.

If you use email-to-fax, verify that your email system encrypts messages in transit (TLS at minimum), that the fax gateway provider has a signed BAA with your practice, and that the gateway encrypts the email-to-fax conversion process end to end. If any of those elements are missing, the transmission is not compliant.

Common Faxing Mistakes That Create Compliance Risk

Faxing to the wrong number. Misdials are the number one cause of fax-related HIPAA breaches. A single wrong digit sends a patient's medical record to an unknown third party. This is a reportable breach.

Using online fax without a BAA. The service provider is handling PHI. Without a BAA, you have no contractual assurance that they will protect it, and no legal recourse if they do not.

Leaving faxes unattended in public areas. A fax machine in a shared space with incoming PHI visible to patients, vendors, or unauthorized staff is a physical safeguard failure.

Not logging fax transmissions. Without a log, you cannot demonstrate to OCR that you have reasonable safeguards in place. You also cannot identify the scope of a breach if one occurs.

Assuming cloud fax has the same HIPAA status as analog fax. It does not. Cloud fax is internet-based communication. It requires BAAs, encryption, access controls, and audit logging — none of which apply to a traditional fax machine connected to a phone line.

Using email-to-fax without addressing the email encryption gap. If the email leg of the transmission is unencrypted, the fact that it ends up as a fax does not retroactively protect the data that was exposed in transit.

Where Faxing Fits in Your Compliance Program

Faxing is one communication channel in your practice. It is not your compliance program, and it is not a substitute for one.

Your compliance program should include policies governing when faxing is appropriate, who is authorized to send and receive faxes containing PHI, and what safeguards are required for each transmission method your practice uses — fax, email, secure messaging, patient portals, and file transfer.

Consider whether faxing is actually necessary for each use case. Secure messaging platforms with encryption, access controls, and audit logging built in may be a better option for many of the workflows that practices still handle by fax. The persistence of fax in healthcare is partly cultural and partly because some payers and systems still require it. Where it is required, comply. Where it is optional, evaluate whether a more secure alternative exists.

Patient Protect tracks your full compliance posture — communication channels, vendor BAAs, data flows, and safeguards — so that faxing compliance is not a standalone concern but part of a managed program.

Frequently Asked Questions

Is faxing PHI a HIPAA violation?

No. Faxing PHI is permitted under HIPAA as long as reasonable safeguards are in place. The violation is not in faxing itself — it is in faxing without safeguards, faxing to the wrong recipient, or using an online fax service without a BAA and encryption.

Do I need a BAA with my fax service?

If you use an online or cloud-based fax service, yes. The service provider receives, stores, and transmits PHI on your behalf, making them a business associate under HIPAA. A signed BAA is required before transmitting any PHI through their platform. If you use a traditional fax machine connected to a phone line, no BAA is needed for the telephone carrier — the PSTN is not considered a business associate.

Is eFax HIPAA compliant?

eFax offers a HIPAA-compliant plan (eFax Corporate) that includes a signed BAA, encryption, and administrative controls. The standard consumer eFax plans do not include a BAA and are not suitable for transmitting PHI. If you are using eFax, verify that you are on the corporate plan and that a BAA has been executed.

Can I fax patient records to another provider?

Yes. Faxing patient records to another healthcare provider for treatment purposes is permitted under the HIPAA Privacy Rule's Treatment, Payment, and Health Care Operations (TPO) exception. You do not need patient authorization to send records to a treating provider. You do need to verify the recipient's fax number, use a cover sheet, and follow all applicable safeguards.

Is cloud fax more secure than traditional fax?

Not necessarily. Cloud fax offers convenience — access from any device, digital storage, searchable archives — but it also introduces internet-based transmission, third-party server storage, and access control requirements that traditional fax does not have. A properly configured cloud fax service with a BAA, encryption, and access controls can be secure. A misconfigured one, or one without a BAA, is less secure than a traditional fax machine in a locked office.

---

Patient Protect tracks your full compliance posture, including communication channels, vendor BAAs, and fax safeguards, starting at $39/month.