Faxing is HIPAA compliant. The HIPAA Privacy Rule explicitly permits healthcare providers to send protected health information (PHI) by fax for treatment, payment, and healthcare operations. But the fax itself is only the transmission method. Compliance depends on the safeguards your organization puts around it.
What HIPAA Actually Says About Faxing
HIPAA does not ban any specific communication technology. The Privacy Rule allows covered entities to disclose PHI to another healthcare provider for treatment purposes by fax or other means. A valid, signed authorization can even be received by fax and used to justify a disclosure. The law is technology-neutral: it cares about whether you protect the information, not which wire it travels over.
That said, HIPAA requires “reasonable and appropriate” administrative, technical, and physical safeguards for any PHI disclosure, including fax. The Office for Civil Rights, which enforces HIPAA, has cited examples of what reasonable safeguards look like for faxing: confirming the recipient’s fax number before sending, periodically auditing pre-programmed numbers for accuracy, and placing the fax machine in a secure location where unauthorized people can’t see incoming documents.
Traditional Fax vs. Cloud Fax
Traditional analog fax machines send data over the public switched telephone network (PSTN), the same copper phone lines that have carried voice calls for decades. This signal is not encrypted. Someone with physical access to the phone line could intercept and read the transmission. In practice, that kind of attack is rare because it requires tapping a specific line at the right moment, but the vulnerability exists. Analog fax systems are generally less exposed to the remote hacking and malware risks that plague internet-connected systems, but they offer no encryption protection.
Cloud-based or online fax services route documents over the internet instead. Because the data travels digitally, HIPAA’s Security Rule applies more directly, and encryption becomes essential. A compliant cloud fax service should encrypt data in transit using TLS 1.2 or higher and encrypt stored faxes on its servers using AES-256 or an equivalent standard. If a cloud fax provider stores your faxes unencrypted on a server, that’s a compliance gap regardless of how convenient the service is.
For most healthcare organizations today, cloud fax offers stronger security than a traditional machine sitting in a hallway, provided the service meets encryption standards and you have the right legal agreement in place.
Business Associate Agreements for Fax Services
If you use a third-party cloud fax service to send or receive PHI, that vendor is a business associate under HIPAA. You need a signed Business Associate Agreement (BAA) before any PHI flows through their system. This is not optional and not a formality.
A BAA must spell out several key protections. The vendor can only use PHI in ways the contract permits. They must implement appropriate safeguards, including the Security Rule’s requirements for electronic PHI. They are required to report any unauthorized disclosure or breach of unsecured PHI back to your organization. At the end of the contract, they must return or destroy all PHI they received or created on your behalf. And if they use subcontractors who will touch PHI, those subcontractors must agree to the same restrictions.
The contract must also give your organization the right to terminate the agreement if the vendor violates its terms. If a fax service won’t sign a BAA, that’s a clear sign you cannot use it for PHI.
Physical Safeguards for Fax Machines
Traditional fax machines print incoming documents automatically, which means PHI can sit in an output tray visible to anyone walking by. HIPAA’s physical safeguard requirements address this directly.
Fax machines that routinely receive PHI should be placed in secure, non-public areas. Locations like primary hallways, waiting rooms, conference rooms, and elevator lobbies are inappropriate. Semi-public areas, such as clinic hallways or administrative buildings with minimal patient traffic, can work if patients and visitors in those spaces are always accompanied by staff.
Machines that receive faxes outside of regular business hours need extra consideration. If a fax arrives overnight, the printed document could sit exposed for hours. These machines should be located inside a room that is routinely locked when staff aren’t present. Cloud fax services sidestep this problem entirely because incoming faxes go to a secure digital inbox rather than a paper tray.
Cover Sheets and Confidentiality Notices
Every fax containing PHI should include a cover sheet with a confidentiality notice. This isn’t just good practice. Many institutional HIPAA policies require it as a standard safeguard. The notice typically states that the fax contains privileged, confidential information intended only for the named recipient, and that anyone who receives it in error should not disseminate, distribute, or copy it.
The cover sheet should also clearly identify the intended recipient so that if the fax lands on the wrong machine, whoever picks it up knows immediately that it wasn’t meant for them. While a confidentiality notice doesn’t legally prevent misuse, it establishes that your organization took reasonable steps to protect the information, which matters if a misdirected fax ever triggers a breach investigation.
Common Compliance Mistakes
Most fax-related HIPAA violations come down to carelessness rather than technology failures. The biggest risk is sending PHI to the wrong number. A single transposed digit routes a patient’s medical records to a stranger. Confirming the fax number before every transmission, or verifying pre-programmed numbers on a regular schedule, prevents this.
Other common mistakes include leaving received faxes sitting in open trays where unauthorized staff or patients can see them, failing to get a BAA from a cloud fax provider, and faxing more information than necessary. HIPAA’s minimum necessary standard applies here: if a referring physician needs a patient’s lab results, you should send the lab results, not the entire medical record.
Organizations that still rely on analog fax should also consider whether the volume and sensitivity of what they’re sending justifies upgrading to an encrypted cloud service. An occasional fax to a known recipient’s verified number carries different risk than transmitting hundreds of patient records daily over unencrypted phone lines.