HIPAA fax means fax transmission that satisfies the security and privacy requirements of the Health Insurance Portability and Accountability Act when the content includes Protected Health Information (PHI). PHI is any individually identifiable health data: patient names with diagnoses, medical record numbers, billing information, lab results, prescriptions. If your fax contains any of it, HIPAA rules apply.
The problem with standard fax – whether old analog machines or most internet fax services – is that they weren’t designed with HIPAA compliance in mind. The transmission may not be encrypted, access controls are usually nonexistent, and there’s no audit trail showing who sent what to whom and when. All three are HIPAA requirements.
How HIPAA-Compliant Faxing Works
A HIPAA-compliant fax solution addresses the gaps that standard faxing leaves open. Here’s what the technical stack actually looks like:
Transmission encryption is the starting point. Faxes sent as T.38 over SIP are transmitted as encrypted data packets rather than analog signals, meaning the content isn’t readable if intercepted in transit. At rest, PHI stored on fax servers must be encrypted as well.
Access controls mean only authorized users can send, view, or retrieve faxes containing PHI. This requires authenticated login, role-based permissions, and ideally multi-factor authentication for any user who handles health records.
Audit logging means the system records every send, receive, forward, and deletion with timestamps and user identifiers. If you get audited by HHS, you need to be able to show exactly who accessed what and when.
The final piece is a Business Associate Agreement (BAA). Any third-party fax provider handling your PHI is legally a Business Associate under HIPAA. They must sign a BAA agreeing to safeguard the data. Without a signed BAA, using the service for PHI transmission is a HIPAA violation regardless of how secure the technology is.
HIPAA Fax Requirements at a Glance
- Encryption in transit – T.38 over TLS or equivalent; no unencrypted transmission of PHI.
- Encryption at rest – stored faxes (image files, PDFs, TIFF) encrypted on the server.
- Access controls – role-based permissions; only authorized staff can view or send PHI faxes.
- Audit trails – immutable logs of all fax activity with timestamps and user IDs.
- Business Associate Agreement – signed BAA with any fax vendor or cloud provider touching your PHI.
- Transmission verification – confirmation that the fax reached the intended recipient.
- Misdirect procedures – documented process for handling faxes sent to wrong numbers.
HIPAA Fax vs Standard Fax
Standard fax services (both traditional and most internet fax apps) fall short on multiple fronts. Consumer fax apps typically store your documents on shared servers with no PHI-specific handling. There’s no BAA offered. Audit logging is minimal or nonexistent. And the PSTN transmission path for analog faxing has no encryption whatsoever.
The gap between compliant and non-compliant faxing is real. OCR (Office for Civil Rights) HIPAA enforcement actions have included fax-related violations: wrong-number transmissions of PHI, staff using personal fax services for patient records, and complete absence of access controls on shared fax machines.
HIPAA fax solutions like ICTFax build the compliance requirements into the platform design rather than bolting them on afterward. The difference shows in the audit trails, the encryption defaults, and the access control granularity.
Who Needs HIPAA-Compliant Fax
Any Covered Entity under HIPAA that transmits PHI by fax needs a compliant solution. That includes hospitals, medical practices, dental offices, pharmacies, labs, and health insurance companies. Their Business Associates – billing companies, transcription services, referring physicians, and any other third party handling PHI on their behalf – are also bound by the same rules.
Healthcare organizations that haven’t reviewed their fax infrastructure are often surprised to find that a shared fax machine in the office or a consumer-grade internet fax account doesn’t meet the standard. The HIPAA-compliant fax landscape ranges from expensive hosted services to self-hosted open source options that give you full control over your data.
Frequently Asked Questions
Is regular fax HIPAA compliant?
Standard analog fax transmission is not HIPAA compliant on its own. The PSTN fax signal is unencrypted, there are no access controls, and there’s no audit trail. However, fax is still permitted under HIPAA if you implement the required safeguards around it: physical security of receiving machines, access controls for retrieval, secure disposal of printed PHI, and staff training on misdirect procedures.
What is a BAA and why does faxing PHI require one?
A Business Associate Agreement is a legal contract between a HIPAA Covered Entity and a third party (Business Associate) that handles PHI. Any fax service, cloud storage provider, or technology vendor that processes your patients’ health information must sign a BAA agreeing to protect that data. Using a fax service without a BAA to send PHI is a direct HIPAA violation, even if the technology is secure.
Can I use email instead of fax for PHI?
Yes, but email for PHI has its own HIPAA requirements: end-to-end encryption, access controls, and audit logging. Standard email (Gmail, Outlook without additional encryption) doesn’t meet HIPAA standards for PHI transmission. Some organizations prefer secure messaging platforms over either fax or email for PHI exchange. The right choice depends on what your trading partners can receive.
How is T.38 fax different from analog fax?
T.38 is the ITU standard for fax-over-IP (FoIP). It converts the fax signal to digital data packets transmitted over IP networks, then reconstructs the fax at the receiving end. When T.38 runs over TLS/SRTP, the transmission is encrypted – which analog PSTN faxing cannot offer. T.38 also has better reliability on international calls and scales more easily than analog lines.
Does ICTFax include a BAA for healthcare customers?
ICTFax is self-hosted software, meaning you run it on your own server infrastructure. Since the data never leaves your control, the typical cloud BAA requirement doesn’t apply in the same way. You would need BAAs with your SIP trunk provider and any cloud infrastructure provider (AWS, Azure, etc.) where you host the server. ICTFax includes encryption, access controls, and audit logging to satisfy the technical HIPAA safeguards.
ICTFax is a HIPAA-capable open source fax server that includes T.38 encryption, role-based access controls, and complete audit logging. You deploy it on your own servers, keeping PHI under your control. Learn more about ICTFax or view pricing.