Faxing can be HIPAA compliant — but only when done through a secure cloud fax service that signs a Business Associate Agreement (BAA) and encrypts transmissions. Traditional analog fax machines, consumer internet fax services, and free online fax tools are not HIPAA compliant. Using a non-compliant fax method to transmit protected health information (PHI) is a direct HIPAA violation under 45 CFR Part 164, with civil penalties that vary based on culpability and are adjusted periodically by HHS for inflation (under the most recent HHS final rule published January 2026, the annual cap for a single tier of identical violations reaches $2,190,294, with a minimum penalty of $145 per violation).

Is Faxing HIPAA Compliant?

Faxing occupies a unique place in healthcare — it remains one of the most widely used methods for transmitting clinical documents, referrals, lab results, and prescriptions. Despite the rise of electronic health records, fax is still standard practice in most healthcare settings.

But not all faxing is created equal under HIPAA.

🔄 Rotate your phone for a better view of the comparison table.
Fax Method HIPAA Compliant? BAA Available? Verdict
HIPAA Vault Fax Service Yes Yes Use for all PHI transmissions
Traditional analog fax machine Conditional Rarely Risky — requires strict physical safeguards
Internet fax (eFax, MyFax, etc. — paid) Conditional Some offer BAA Verify BAA availability before use
Free online fax services No No Do not use for PHI
Email-to-fax without encryption No No Do not use for PHI
Consumer fax apps No No Do not use for PHI

Secure Cloud Faxing: Integrated with Office 365 & EHR

Eliminate manual fax machines. Send encrypted documents, get proof of delivery, and maintain HIPAA audit logs automatically.

Learn More

Why Fax Is Still Widely Used in Healthcare

Despite being decades-old technology, fax persists in healthcare for practical reasons: it creates a paper trail, is universally compatible across facilities regardless of EHR system, and has legal acceptance for document transmission. Many payers, pharmacies, and referral networks still require fax as a primary communication channel.

The challenge is that the way most practices fax — using traditional machines or unmanaged internet fax services — creates significant HIPAA exposure.


Need a HIPAA compliant fax solution for your practice? HIPAA Vault offers cloud faxing built for healthcare — BAA included, encryption built in, starting at $9.95/month. Port your existing number.

See plans →


Don't wait until it's too late. Download our free HIPAA Compliance Checklist and make sure your organization is protected.

What Makes a Fax Service HIPAA Compliant?

A HIPAA compliant fax service must meet the following requirements:

  1. Signed Business Associate Agreement (BAA) — the legal foundation; without it, no fax service qualifies regardless of security features
  2. Encryption in transit — electronic fax providers should encrypt PHI in transit to satisfy HIPAA Security Rule requirements and industry best practices; encryption is an addressable implementation specification under the Security Rule
  3. Encryption at rest — stored fax documents should be encrypted on the server; under the HITECH Act Safe Harbor, properly encrypted data using NIST-approved standards (such as AES-256) may not require breach notification if intercepted, provided the encryption key is not compromised
  4. Access controls — only authorized users should be able to send, receive, or view faxes
  5. Audit logging — records of who sent and received what, and when
  6. Secure delivery confirmation — proof of transmission for compliance documentation
  7. Data retention policies — fax records must be retained in accordance with applicable requirements
  8. Redundant infrastructure — uptime guarantees to ensure continuity of care communications

Traditional Fax Machines and HIPAA

Traditional fax machines can be HIPAA compliant — but doing so depends on implementing appropriate administrative, physical, and technical safeguards that most practices find difficult to maintain consistently.

For a traditional fax machine to be used compliantly:

  • The machine must be located in a secure, access-controlled area
  • Incoming faxes must not sit unattended in an output tray where unauthorized staff could view them
  • Transmission logs must be maintained
  • The phone line must be dedicated and secured
  • Misdirected faxes must be documented and reported as potential breaches
  • While traditional landline carriers fall under HIPAA’s Conduit Exception Rule — meaning they are treated as mere conduits (like the postal service) and do not require a BAA — they provide no encryption, audit logging, or access controls. Internet-based cloud fax providers, by contrast, store and process fax data, making them Business Associates under HIPAA and requiring a signed BAA

In practice, traditional fax machines in busy clinical environments are difficult to control. A misdirected fax containing PHI is a reportable breach under the HIPAA Breach Notification Rule. Cloud fax significantly reduces many of these common compliance risks by design.


Is eFax HIPAA Compliant?

eFax — and similar internet fax services like MyFax, RingCentral Fax, and Sfax — can be HIPAA compliant on their business plans, but only if:

  • The provider signs a BAA
  • Transmissions are encrypted
  • The account is properly configured for healthcare use

Not all plans from these providers include a BAA. Always verify BAA availability before using any internet fax service for PHI. Free tiers and consumer plans do not qualify.

Additionally, some internet fax services route transmissions through standard email infrastructure without adequate encryption — which creates a compliance gap even if a BAA is in place. Always ask specifically how transmissions are encrypted end-to-end.


HIPAA Vault Fax: Cloud Faxing Built for Healthcare Practitioners

HIPAA Vault’s HIPAA Fax service is built specifically for healthcare providers — with a signed BAA, encrypted transmissions, delivery confirmation, and an audit trail included on every plan. Port your existing fax number and send directly from Microsoft Office, your EHR, or any device.

Key capabilities include:

  • HIPAA-compliant faxing with signed BAA
  • Encrypted transmissions with proof of delivery to your email
  • Detailed audit logging that supports HIPAA Security Rule audit control requirements
  • Customized cover pages generated on demand
  • Direct faxing from Microsoft Office or Office 365
  • Receive faxes directly within your EHR — no printing or scanning
  • High-volume and time-sensitive fax support
  • U.S.-based premium support and 30-day money-back guarantee

Why Cloud Fax Beats Traditional Fax for HIPAA

HIPAA Vault’s cloud fax solution eliminates the inefficiencies and compliance risks of traditional fax machines. Your sensitive documents are encrypted to create a secure transmission, a customizable cover page is generated on demand, and you receive a confirmation email as soon as your fax is successfully delivered. Faxes can also be received directly from within your EHR — all without retrieving, printing, or scanning.


Ready to replace your fax machine with a compliant cloud solution? HIPAA Vault’s HIPAA Fax plans start at $9.95/month with no contracts — BAA included, 30-day money-back guarantee.

View plans →  |  Contact Us


How to Send a Confidential Fax Under HIPAA

Whether you are using a cloud fax service or a traditional machine, the following practices apply:

  1. Verify the recipient’s fax number before every transmission — misdirected faxes are one of the most common sources of PHI breaches
  2. Use a HIPAA-compliant cover page — include a confidentiality notice stating the fax contains PHI and instructions for the recipient if received in error
  3. Confirm receipt — obtain delivery confirmation for sensitive transmissions
  4. Document the transmission — maintain a log of faxes sent and received including date, time, recipient, and content description
  5. Report misdirected faxes — a fax sent to the wrong recipient containing PHI is a reportable breach under the HIPAA Breach Notification Rule
  6. Never use a shared or unsecured fax machine — in shared office buildings or public spaces, fax machines visible to others create PHI exposure risk

HIPAA Fax Cover Page Requirements

HIPAA does not mandate a specific cover page format, but best practice requires that every fax containing PHI include:

  • Confidentiality notice — stating the communication contains protected health information
  • Misdirection instructions — what to do if received in error (destroy, notify sender, do not copy or distribute)
  • Sender contact information — name, organization, phone number
  • Recipient information — name, organization, fax number
  • Number of pages — including the cover page
  • Date and time of transmission

A well-constructed cover page also serves as documentation in the event of a breach investigation.


There Is No Special HIPAA Exemption for Fax

A common misconception in healthcare is that fax has a special “safe harbor” under HIPAA — that it is inherently more compliant or exempt from certain requirements. This is not accurate.

There is no special HIPAA exemption for fax communications. Fax transmissions containing PHI must comply with the Privacy Rule, the Security Rule (when electronic PHI is involved), and the Breach Notification Rule — just like any other communication method.

What does exist under the HITECH Act is an encryption safe harbor that applies to all PHI — not just fax. If PHI is properly encrypted at rest and in transit using NIST-approved standards (such as AES-256), and the encryption key is not compromised, a breach notification is generally not required if the data is intercepted. This safe harbor applies to cloud fax services that implement proper encryption — not to traditional unencrypted analog fax.

The practical takeaway: the method of transmission (fax, email, messaging) matters less than whether PHI is encrypted, access-controlled, audited, and covered by a signed BAA.


Frequently Asked Questions


This article is educational and does not constitute legal advice. Consult a qualified HIPAA compliance attorney for guidance specific to your organization. HIPAA Vault provides HIPAA-compliant cloud fax, hosting, and security services for healthcare organizations on U.S.-based private servers.