What Is a HIPAA-Compliant Fax Service? (And What to Look For)

HIPAA does not certify fax services. There's no government seal that says "HIPAA-compliant." Instead, HIPAA's Privacy Rule and Security Rule require specific administrative, physical, and technical safeguards — and your fax vendor must support those safeguards before you can use it for PHI.

The minimum HIPAA fax checklist

1. Signed Business Associate Agreement (BAA). If a vendor handles, transmits, or stores PHI on your behalf, you need a BAA on file. No BAA, no PHI — full stop.
2. Encryption in transit and at rest. TLS 1.2+ for every API call and webhook. Encryption at rest with a customer-or vendor-managed key (KMS-style).
3. Access controls. Each user has unique credentials. Two-factor authentication available. Role-based permissions if more than one staff member touches PHI.
4. Audit logging. Every send, view, and download must be timestamped with the actor and IP address. Retention long enough to support breach investigation (typically 6+ years).
5. Breach notification. The vendor must notify you promptly of any incident affecting PHI it handles, with enough detail to support your own breach reporting.
6. Sub-processor disclosure. If the vendor sends faxes via a downstream provider (e.g., Telnyx), that provider must also have a BAA in place with your vendor.

What to ask before signing

• "Do you sign a BAA before we send any PHI?"
• "Where are faxes stored, and with what encryption?"
• "What audit logs can I access, and for how long?"
• "Who are your sub-processors, and do they have BAAs?"
• "How do you handle a fax that's misrouted or sent to the wrong number?"
• "What's your incident-response timeline?"

How SecurelyFax's HIPAA tier works

• BAA on file. Sign during onboarding. PHI sending is gated until the BAA is countersigned by our admin.
• KMS-encrypted S3 storage. Every fax PDF is encrypted at rest with a dedicated KMS key under our AWS account.
• 2FA + audit log. Every login, send, view, download, and admin action is recorded with actor + IP + user-agent + timestamp.
• Per-room retention. Set retention per fax room — e.g., 6 years for clinical, shorter for general intake. Auto-purge after.
• Telnyx as fax sub-processor. Covered under our BAA and theirs.

What "HIPAA-compliant" doesn't mean

It doesn't mean the vendor's existence makes your practice compliant. You still need to:

• Train your staff on PHI handling.
• Configure least-privilege access (which is why per-room isolation matters — Billing shouldn't see Clinical).
• Maintain your own breach-notification policies.
• Run regular risk assessments.

The vendor handles their portion of the HIPAA requirements. You handle yours. The BAA is the contract that says who is responsible for what.

See SecurelyFax for healthcare — signed BAA, KMS encryption, audit logs, per-room separation.