HIPAA Compliance

SecurelyFax offers a HIPAA-eligible service tier designed for U.S. covered entities and business associates that need to transmit Protected Health Information (PHI) by fax.

What "HIPAA-eligible" means

The HIPAA tier is configured to support a customer's HIPAA compliance program. SecurelyFax acts as a Business Associate when you transmit or store PHI through the service — because SecurelyFax persistently stores fax PDFs in encrypted S3 (typically days to years depending on retention configuration), the role goes beyond a mere conduit and a Business Associate Agreement (BAA) is required before any PHI may be transmitted.

Our role vs. the Telnyx conduit exception

SecurelyFax's underlying telecommunications carrier, Telnyx, performs the actual T.38 / PSTN transmission of fax data and does not sign BAAs. Telnyx operates under the HIPAA conduit exception, which the U.S. Department of Health and Human Services has confirmed applies to telecommunication and electronic-equivalent carriers that act "merely as a conduit for protected health information." See HHS guidance at 78 FR 5571-72. The conduit exception permits transient, transmission-incidental storage but does not extend to a service that retains PHI persistently on its own systems.

SecurelyFax does not qualify for the conduit exception because we persist fax PDFs in encrypted storage on the customer's behalf (retention windows of 30 days on free tier up to multiple years on the HIPAA tier). For that reason SecurelyFax is a Business Associate and signs a BAA with every HIPAA-tier customer.

Safeguards on the HIPAA tier

• Administrative: workforce confidentiality obligations, access reviews, breach response procedures, two-factor authentication available to all accounts (strongly recommended for HIPAA workforce members), signed BAAs with every sub-processor that has persistent access to PHI.
• Physical: data hosted in AWS data centers (SOC 2 / ISO 27001 / HIPAA-eligible) in the United States.
• Sending (outbound): documents are uploaded over TLS, normalized to a single PDF (images converted, multi-file uploads merged), transmitted to Telnyx over TLS, and faxed via T.38 to the recipient device. Cover sheets are generated server-side. HIPAA-tier sends are blocked at the application layer until a countersigned BAA is on file.
• Receiving (inbound): HIPAA-tier subscribers must receive on a dedicated US fax number. The shared inbound line (which uses OCR-routed inbox codes on cover sheets) is best-effort and is not HIPAA-compliant — it is not permitted for PHI.
• Storage: every fax PDF and BAA file is written to a private S3 bucket under a per-tenant object key, server-side encrypted with aws:kms using a customer-managed KMS key. Download URLs are short-lived presigned links generated only after the per-tenant authorization check passes.
• In transit: TLS 1.2+ everywhere, HSTS on, HTTP redirects to HTTPS, webhook payloads HMAC-signed.
• Access & audit: per-tenant authorization on every read; structured audit logs covering login, password change, two-factor authentication state, fax view, fax download, send, receive, retention / admin actions, BAA upload and approval, and number purchase / release. Each entry records the actor, the timestamp, the resource id, and the originating IP address. Audit log entries are retained for at least the longer of (a) the customer's contractual retention period and (b) six years, consistent with 45 CFR §164.530(j)(2).
• Retention: configurable up to seven years on the HIPAA tier (PAYG defaults to 30 days). Customer can request shorter retention via hipaa@securelyfax.com. Storage of PHI is contingent on an active, paid HIPAA-tier subscription — see Section "Storage and subscription" below.

Storage and subscription

SecurelyFax has no legal obligation to retain PHI on a customer's behalf once that customer's HIPAA-tier subscription lapses, expires, is terminated by either party, or is suspended for non-payment. Storage is a service customers pay for under an active subscription — HIPAA does not require SecurelyFax to maintain PHI outside the commercial relationship. The Business Associate Agreement reflects this expressly.

When a HIPAA-tier subscription lapses or terminates:

1. SecurelyFax sends the customer's administrative contacts at least thirty (30) calendar days' written notice by email before any deletion of PHI, including instructions on how to export.
2. During the notice / wind-down period, the account is read-only — customer can sign in and use the export tooling to retrieve PHI but cannot send or receive new faxes.
3. At the end of the wind-down period, all PHI is securely deleted from SecurelyFax's production systems and AWS is instructed to do the same with its retained copies in S3 and KMS.
4. SecurelyFax provides written certification of destruction upon written request.

Customers are solely responsible for completing their export before the wind-down period ends. SecurelyFax has no liability for a customer's failure to timely export PHI.

Storage limits and overages

• Fair-use cap. The HIPAA tier includes a fifty-gigabyte (50 GB) fair-use storage allowance per customer organization. SecurelyFax publishes the current allowance on the pricing page and in the Service.
• Notifications. SecurelyFax notifies the customer's administrative contacts when storage usage reaches eighty percent (80%) and ninety percent (90%) of the cap.
• Exceeding the cap. When storage usage exceeds the cap, SecurelyFax may, after notice, (a) suspend acceptance of new inbound or outbound faxes until storage drops below the cap (existing PHI remains accessible) or (b) negotiate a paid overage with the customer. SecurelyFax will not delete existing PHI as a result of cap overage without customer direction.
• Customer purge. Customers can purge PHI at any time through the Service's purge tooling or by written request to hipaa@securelyfax.com — SecurelyFax executes within fifteen (15) business days and logs the deletion in audit logs.

Sub-processors and BAAs

SecurelyFax categorizes its third-party vendors by whether they have persistent, non-incidental access to PHI:

• Amazon Web Services (AWS) — storage (S3), encryption (KMS), email delivery (SES), AI inference (Amazon Bedrock). AWS retains PHI on SecurelyFax's behalf for the configured retention window and is therefore a Business Associate. Covered by AWS's standard BAA executed by SecurelyFax under the AWS Business Associate Addendum.
• Telnyx — PSTN / T.38 fax transmission carrier. Telnyx invokes the HIPAA conduit exception (HHS 78 FR 5571-72) and does not sign BAAs; SecurelyFax accepts and relies on that position. Telnyx does not retain fax content beyond what is incidental to the transmission.
• Stripe — payment processor for web billing. Stripe processes billing data only — it does not receive PHI from the fax transmission or storage path. No BAA required because no PHI flows to Stripe.
• Apple / Google / RevenueCat / Expo — in-app purchase and push delivery for the mobile apps. None of these services receive PHI: push payloads from SecurelyFax never include fax content or patient identifiers, and IAP transactions carry only entitlement and product metadata. No BAA required.

What is not HIPAA-compliant

• The Personal, Business, and pay-as-you-go tiers — they do not include a BAA with SecurelyFax.
• The shared inbound number with a cover-sheet inbox code — convenient but best-effort. Do not use it for PHI.
• Email-to-fax (send@securelyfax.com / fax@securelyfax.com) sent from a non-HIPAA-tier account.
• The anonymous / "quick fax" public path (no signup) — explicitly off-limits for PHI.

Customer responsibilities

• Execute a BAA with SecurelyFax before transmitting PHI.
• Use a unique account per workforce member; do not share credentials.
• Enable two-factor authentication.
• Confirm the recipient fax number before sending.
• Restrict PHI to the HIPAA tier — do not transmit PHI on Personal, Business, or pay-as-you-go tiers.

Requesting a BAA

HIPAA-tier customers can execute a BAA in-app from /app/baa after subscribing. Review the starter template at /baa-template before execution; that document is the BAA SecurelyFax offers HIPAA-tier customers, subject to negotiation in writing. For prior review with counsel, contact hipaa@securelyfax.com.

Breach notification

SecurelyFax will notify the customer without unreasonable delay (and in any case within the timeframes required by 45 CFR §164.410) of any discovered breach of unsecured PHI.

Nothing on this page constitutes legal advice. Customers are responsible for their own HIPAA compliance program; SecurelyFax provides a compliant service tier and the contractual terms required to use it.