A comprehensive guide to HIPAA fax compliance for medical offices, dental practices, and healthcare organizations.
7 day free trial.
Despite the rise of electronic health records and secure messaging, faxing remains deeply embedded in the US healthcare system. An estimated 75% of medical communications still happen by fax. There are three main reasons for this.
Regulations and payer requirements. Many insurance companies, Medicare, Medicaid, and state agencies require fax for claims, prior authorizations, and appeals. Until these systems are modernized, healthcare providers must maintain fax capabilities to get paid.
Referring providers and partners. When you send referrals, lab results, or patient records to other providers, many of them only accept fax. Even if your office has gone digital, you need to communicate with practices that have not.
Legal and compliance considerations. Fax is an accepted HIPAA compliant method of transmitting PHI when proper safeguards are in place. Many compliance officers prefer fax because it creates a clear record of transmission that email often does not.
The question is not whether your practice needs fax — it almost certainly does. The question is whether you are faxing in a way that meets HIPAA requirements. For most practices, switching from a traditional fax machine to a HIPAA compliant online fax service is the simplest path to compliance.
HIPAA does not ban faxing — it requires specific safeguards when faxing protected health information. Here are the four core requirements.
Any service that handles PHI on your behalf must sign a BAA. This is a legal requirement, not optional. Your online fax provider must execute a BAA before you transmit any patient data through their service.
HIPAA requires encryption for ePHI in transit and at rest. For faxing, this means TLS 1.2+ for transmission and AES-256 for stored documents. Traditional fax machines transmit over unencrypted phone lines.
Only authorized individuals should be able to access faxes containing PHI. This means unique user logins, role-based permissions, and automatic session timeouts to prevent unauthorized access.
HIPAA requires that you maintain logs of who accessed PHI, when, and what actions they took. Your fax service should automatically log every fax sent, received, viewed, and downloaded.
These are the five most common ways healthcare practices violate HIPAA when faxing. Many offices do not realize they are at risk.
Fax machines in reception areas, break rooms, or shared spaces allow unauthorized individuals to see incoming faxes containing PHI. This is one of the most common HIPAA violations in healthcare offices.
Using a fax service without a signed BAA is a direct HIPAA violation. Many practices unknowingly use consumer fax services that do not offer BAAs and are not HIPAA compliant.
Traditional fax machines produce no audit trail of who sent what to whom. If you cannot prove who accessed PHI and when, you are out of compliance with HIPAA record-keeping requirements.
Misdirected faxes are a leading cause of PHI breaches. Without confirmation prompts and recipient verification, it is easy to transpose digits and send patient records to the wrong number.
HIPAA best practices require a cover sheet with a confidentiality notice on every fax containing PHI. Many offices skip this step, especially when faxing in a hurry.
Online fax services are inherently better suited for HIPAA compliance than traditional fax machines. Here is a side-by-side comparison.
| HIPAA Requirement | Traditional Fax | Online Fax |
|---|---|---|
| Encryption in transit | ||
| Encryption at rest | ||
| Business Associate Agreement | ||
| Audit trail | ||
| Access controls | ||
| Documents visible to passersby | ||
| Automatic delivery confirmation | ||
| Secure cloud storage |
Learn more about HIPAA compliant faxing with usfax.com.
Follow these four steps to set up HIPAA compliant faxing for your practice. Most offices can complete the entire process in under 30 minutes.
Select an online fax provider that explicitly offers HIPAA compliance — including BAA, encryption, audit trails, and access controls. usfax.com offers HIPAA compliance on the Business plan at $49/month.
Before transmitting any PHI, sign the BAA with your fax provider. With usfax.com, you can sign the BAA online in minutes from your account settings — no sales calls or paperwork.
Set up individual user accounts for each staff member who needs fax access. Assign role-based permissions and enable automatic session timeouts. Never share login credentials between users.
Create written procedures for handling faxes containing PHI. Train staff on using cover sheets, verifying recipient numbers, and reporting misdirected faxes. Document your training for compliance records.
Use this checklist to verify that your practice meets all HIPAA requirements for faxing protected health information. Every item should be checked before you transmit PHI.
HIPAA violations carry significant financial penalties. The Department of Health and Human Services (HHS) Office for Civil Rights enforces these penalties on a tiered system based on the level of negligence.
| Tier | Level | Per Violation | Annual Max |
|---|---|---|---|
| Tier 1 | Unknowing violation | $141 – $71,162 | $71,162 |
| Tier 2 | Reasonable cause | $1,424 – $71,162 | $284,792 |
| Tier 3 | Willful neglect (corrected) | $14,232 – $71,162 | $569,468 |
| Tier 4 | Willful neglect (not corrected) | $71,162 – $2,134,831 | $2,134,831 |
A HIPAA compliant fax service costs as little as $49 per month (Business plan). A single HIPAA violation can cost up to $2.1 million. Setting up compliant faxing is one of the easiest and most cost-effective steps a practice can take.
Join thousands of US businesses that have ditched the fax machine. No credit card required.