Is Faxing HIPAA Compliant? What Safeguards Clinics Need
TLDR
Traditional analog fax is generally HIPAA compliant when the right physical safeguards are in place: secure machine location, cover sheets, correct number verification, and immediate retrieval of incoming faxes. Internet/digital fax requires a signed BAA with your fax service provider. Fax has persisted in healthcare specifically because its point-to-point transmission model is simpler to audit than email.
The short answer
Traditional analog fax is generally HIPAA compliant. HHS has consistently treated fax as an acceptable method for transmitting PHI when physical safeguards are in place. Fax does not require a BAA with your telephone provider.
Internet fax is a different situation. Services that convert fax to digital files and route them over the internet need a signed BAA from the provider before you use them for PHI.
Why fax is still in healthcare
Fax has been the subject of jokes about healthcare’s technology lag for two decades. The reason it persists is not inertia. It is the transmission model.
When your clinic sends a fax over a standard phone line, the document travels point-to-point between your machine and the recipient’s machine. Nothing sits on an intermediate server. There is no cloud storage. The carrier does not retain the content. The audit trail is straightforward: your fax log records the number dialed, transmission time, and confirmation code.
Email is harder to audit. A message from your clinic to a referring physician passes through your email server, your email provider’s infrastructure, the internet, the recipient’s email provider, and then their server. Each hop is a potential breach point and a potential BAA requirement.
CMS and major payers also still require fax for specific workflows: prior authorization requests, referral documentation, and certain claims processes. As long as payer requirements include fax, clinics will keep fax machines.
Required safeguards for HIPAA-compliant faxing
HHS has published guidance on fax safeguards. These are not suggestions. They are the practices that determine whether a fax-related breach is treated as a HIPAA violation.
Fax machines must be in secure areas. A machine sitting in open reception, visible and accessible to patients and visitors, is a physical safeguard failure. Put it behind the front desk or in a staff-only area.
Verify the recipient’s fax number before sending any PHI. Sending to a wrong number is the most common fax-related HIPAA violation. For frequently used numbers, keep a verified directory. For new recipients, call to confirm the number before transmitting.
Every fax containing PHI needs a cover sheet with a HIPAA confidentiality notice, the intended recipient’s name, and instructions for the recipient if they receive it in error.
Incoming faxes should not sit in an output tray where any passing staff member or visitor can read them. Designate someone to retrieve and distribute incoming faxes promptly.
Maintain a transmission log recording the date, time, recipient number, page count, and confirmation status for each outgoing fax. These logs satisfy HIPAA’s audit control requirements.
Internet fax: a different compliance question
Digital fax services work differently. When you send a fax through eFax or a similar service, your document is uploaded to their servers, converted to digital format, and transmitted over the internet. The content touches their infrastructure.
That makes them a business associate under HIPAA. You need a signed BAA before using any internet fax service for PHI.
Not all internet fax providers offer BAAs. Before selecting a service, confirm BAA availability directly. Providers that advertise HIPAA compliance and offer BAAs include Sfax, eFax Corporate, and RingCentral Fax (on business plans). Consumer-grade fax services typically do not offer BAAs.
If your current internet fax service does not offer a BAA, stop using it for PHI immediately and request a BAA or switch providers.
Where fax fits in the broader compliance picture
Fax handles document transmission. It does not handle what happens after the fax arrives.
A prior authorization request comes in by fax. Someone needs to process it, track the follow-up, communicate with the payer, and document the outcome. That workflow, the task coordination that follows the fax, is where many small clinics run into compliance gaps.
PHIGuard covers that coordination layer. When a fax triggers a follow-up task, PHIGuard provides a structured way to assign it, track completion, and maintain a record of who did what. It does not replace fax. It handles the work that starts after the fax arrives. BAA included at every pricing tier starting at $20/month for up to 10 staff.
Like what you're reading?
Try PHIGuard free — no credit card required.
- Point-to-Point Transmission
- A communication method where data travels directly from sender to recipient without being stored on intermediate servers. Traditional analog fax uses point-to-point transmission over the public switched telephone network.
DEFINITION
- Internet Fax
- A fax service that converts documents to digital files and transmits them over the internet rather than over telephone lines. Services like eFax, RingCentral Fax, and Sfax fall into this category. Internet fax requires a BAA with the provider for HIPAA compliance.
DEFINITION
- HIPAA Cover Sheet
- A cover page sent with fax transmissions containing PHI that includes a confidentiality notice, the intended recipient's name and number, and return instructions if the fax is received in error. HHS recommends cover sheets on all PHI faxes.
DEFINITION
Q&A
Is faxing HIPAA compliant?
Traditional analog fax is generally HIPAA compliant when physical safeguards are followed: secure machine placement, cover sheets, number verification before transmission, immediate retrieval of incoming faxes, and transmission logs. Internet fax requires a BAA with the service provider.
Q&A
What safeguards does a clinic need for HIPAA-compliant faxing?
Fax machines should be in secure areas away from open reception. Staff should verify fax numbers before sending. All outgoing PHI faxes need a HIPAA cover sheet. Incoming faxes must be retrieved promptly. The practice should maintain a fax log for audit purposes.
Q&A
Why has fax survived in healthcare when email is more convenient?
Traditional fax transmits directly between two machines without intermediate server storage. This makes the transmission path easier to control and audit. CMS and many insurance carriers also require fax for specific authorization and referral workflows, keeping fax machines in service regardless of preference.
Want to learn more?
Is faxing HIPAA compliant?
Is digital or internet fax HIPAA compliant?
What are the most common fax HIPAA violations?
Do I need a cover sheet on every fax?
Why do healthcare organizations still use fax?
Keep reading
Is Gmail HIPAA Compliant?
Personal @gmail.com accounts are never HIPAA compliant. Gmail inside Google Workspace can be compliant — but only after you sign a BAA with Google in the Admin console. Here's exactly what's required.
Is Texting HIPAA Compliant? Standard SMS and What to Use Instead
Standard SMS text messaging is not HIPAA compliant. Messages travel unencrypted over carrier networks and carriers cannot sign BAAs. Here's what small clinics use instead.
What Is a Business Associate Agreement (BAA)? HIPAA Explained
A Business Associate Agreement (BAA) is a HIPAA-required contract between your medical practice and any vendor handling patient data. Without one, you're exposed.
HIPAA Compliance Audit: What OCR Looks For and How to Prepare
Learn what a HIPAA compliance audit involves, what documents OCR requests, and how small practices can stay audit-ready without a full-time compliance officer.
5 HIPAA Compliant Messaging Apps for Medical Practices (2026)
WhatsApp and standard SMS are not HIPAA compliant. These five apps sign a BAA and encrypt messages at rest and in transit — compared by price, features, and practice size fit.