Consideration article

HIPAA Compliant Online Fax Services: Evaluation Guide

What makes an online fax service HIPAA compliant, which features matter, and how to evaluate vendors before transmitting PHI.

Short answer

Online fax services that handle clinical documents containing PHI are business associates under HIPAA and must sign a BAA. Evaluation criteria include encryption in transit and at rest, audit logging, access controls, and how incoming faxes are stored and delivered. This guide covers what to look for and common gaps in fax-to-email products.

Fax remains a standard transmission channel for clinical documents: referrals, prior authorizations, lab results, and records requests. Online fax services — which convert fax to digital delivery or let staff send faxes from a browser or application — have largely replaced physical fax machines in many practices.

Because these services handle PHI, they require the same compliance evaluation as any other ePHI-adjacent system.

Why fax carries PHI risk

Every fax transmitted in a clinical context is likely a PHI transmission. Referral documents include patient names, DOBs, diagnoses, and insurance IDs. Lab results carry patient identifiers and clinical findings. Prior authorization faxes combine billing and clinical data.

When that transmission goes through an online fax service, the provider is receiving, processing, and often storing that PHI. That makes the provider a business associate. A signed BAA must be in place before the first fax is sent.

For the underlying PHI analysis of fax workflows, see PHI in Fax.

What HIPAA requires for online fax

The Security Rule’s technical safeguard requirements at 45 CFR § 164.312 apply to ePHI transmitted and stored by the fax service:

Transmission security — faxes in transit must be encrypted. Online fax services transmit documents over the internet as data, not as analog signals. TLS encryption during transmission addresses the Security Rule’s transmission security specification.

Access control — the fax inbox must be accessible only to authorized users. Shared fax inboxes with no individual login credentials are a Security Rule gap.

Audit controls — the system should log who accessed the fax inbox, which documents were viewed or downloaded, and when. A log that only records that a fax was received — without tracking who accessed it — does not fully satisfy audit control requirements.

At-rest encryption — stored fax images (typically PDFs) on the provider’s servers should be encrypted at rest.

Evaluation criteria for online fax services

BAA inclusion

Is the BAA standard at the plan your clinic would use? Some large general-purpose fax services offer BAAs only as a custom enterprise add-on, which is not practical for a small practice.

Fax-to-email delivery model

Many services deliver incoming faxes as email attachments. If the service uses fax-to-email, the PHI then lives in the email system. Confirm the email system also meets Security Rule requirements and has its own BAA in place.

Alternatively, services that deliver faxes to a secure web portal — rather than to email — keep the PHI in a controlled environment rather than routing it through a separate system.

Retention and deletion

How long does the provider retain fax images? Is there a configurable retention policy? Fax images are medical records when they contain clinical content, and the clinic is responsible for records management regardless of where the files are hosted.

User management

Can individual staff members have unique credentials to the fax system? Can access be removed when a staff member departs? Shared fax credentials that persist after turnover are a recurring compliance gap.

Subprocessor coverage

Does the BAA cover the provider’s subprocessors — the cloud infrastructure and storage vendors the fax service uses? Cloud-hosted services typically rely on cloud storage providers, and PHI stored there must also be covered.

Common gaps in general-purpose fax services

Consumer and small-business fax services — including many app-based services marketed on cost — frequently have these gaps:

  • No BAA offered at standard pricing
  • Fax-to-email delivery into a personal or unprotected email account
  • No individual user accounts — single shared login for the fax number
  • No audit log of who accessed or downloaded received faxes
  • Indefinite retention of all fax images with no deletion mechanism

Choosing a service based on cost alone, without reviewing these criteria, is a straightforward path to a Security Rule gap.

Practical setup checklist

Before using an online fax service for clinical documents:

  1. Confirm BAA is signed
  2. Confirm faxes are encrypted in transit and at rest
  3. Set up individual staff accounts — no shared logins
  4. If fax-to-email is used, confirm the email system also has a BAA
  5. Configure a retention schedule consistent with your records policy
  6. Document the vendor in your business associate list

For the broader vendor management framework, see When a Vendor Needs a BAA. For email compliance requirements when fax-to-email is in use, see HIPAA Compliant Email Providers Explained.

PHIGuard tracks BAA status for all vendors in the compliance dashboard. For pricing details, visit /hipaa.

PHI Workflows

How PHI shows up in email, texting, spreadsheets, AI tools, intake forms, voicemail, and day-to-day coordination workflows.

Admin Tasks vs Patient-Chart Work

Mixing admin tasks and clinical work in generic tools creates PHI exposure. Learn how small clinics can separate these cleanly and what HIPAA requires.

How to Handle Shared Inboxes That Contain PHI

HIPAA risks of shared email inboxes in clinics, including the unique user ID requirement, access control, and safer operating models.

Sources

FAQ

Questions related to this topic

Do I need a BAA with an online fax provider?

Yes. If the fax service stores or transmits PHI on your behalf — which it does for every clinical document faxed in or out — the provider is a business associate and must sign a BAA.

Is traditional fax more compliant than online fax?

Traditional analog fax over the PSTN is generally considered HIPAA-compliant when physical safeguards are in place — the fax machine is in a controlled area, output is retrieved promptly, and misdirected transmissions are documented. Online fax services that transmit documents over the internet are subject to the same Security Rule requirements as other ePHI systems and must have a signed BAA. The key compliance requirement for online fax is the BAA plus technical safeguards; traditional fax has no BAA requirement because the transmission does not pass through a third-party processor.

What happens when a fax is delivered to email?

Fax-to-email products convert the incoming fax to a PDF and send it to the designated email inbox. That delivery creates ePHI in the email system, which must itself be HIPAA compliant with a separate BAA if the email provider is different from the fax provider.

Are healthcare-specific fax services necessary?

Not strictly — any fax service that signs a BAA and meets Security Rule requirements is eligible. Healthcare-specific vendors typically offer BAAs as a standard feature and are more likely to have compliant default configurations.

Operational assurance

Move from policy documents to a working compliance program.

PHIGuard turns these workflows into repeatable tasks, audit evidence, and role-based processes for small clinics.

Start free trial

No credit card required. Add billing details later if you want service to continue after the trial.