HIPAA & Compliance
Is Fax HIPAA Compliant?
Short answer: yes, faxing protected health information is allowed under HIPAA β but a fax is only compliant when the right safeguards are in place. Here's exactly what separates a HIPAA-ready fax from a violation, and which online fax services actually qualify.
The short version: HIPAA never bans fax. It asks whether you've taken reasonable steps to protect the data. With a traditional fax machine, that's mostly physical β dial carefully, secure the printout. With online or cloud fax, "HIPAA compliant" hinges on one thing above all: a signed Business Associate Agreement (BAA), backed by encryption and audit controls.
No BAA, no compliance β even if the marketing page says "bank-grade security."
What makes a fax HIPAA compliant
For online and cloud fax, your provider has to meet all four of these β not just the first one they advertise.
A signed BAA
The fax provider becomes a Business Associate the moment it handles PHI on your behalf. Without a signed Business Associate Agreement, using that service for patient data is a violation β full stop, no matter how good the encryption is.
Encryption in transit & at rest
PHI must be encrypted while it moves (TLS 1.2 or higher) and while it sits on the provider's servers (AES-256). A fax that's emailed in plain text to a gateway fails this test.
Access controls & audit logs
Unique logins per user, role-based permissions, automatic log-off, and an audit trail of who sent, opened, or downloaded each fax. Shared inboxes and generic passwords don't meet the bar.
Breach notification
A documented process to detect, contain, and report a breach. Your BAA should spell out the provider's obligations if PHI is ever exposed.
Traditional fax vs. online fax β different risks
People assume the old fax machine is automatically safer because it "doesn't touch the internet." That's only half true. With analog fax, HIPAA's concern is physical exposure: a misdialed number sending records to a stranger, or a printout sitting in an unattended tray. Apply the usual safeguards β confirm the number, use a cover sheet, keep the machine in a controlled area β and a traditional fax can carry PHI under HIPAA.
Online and cloud fax move the risk to the provider. Because a third party now transmits and stores your faxes, that company is a Business Associate under HIPAA, and you inherit responsibility for vetting them. The upside is real: a good cloud fax service gives you encryption, access logs, and a paper trail an analog machine never could β once the BAA is signed and the safeguards are switched on.
The BAA is non-negotiable
A Business Associate Agreement is a contract that makes your fax provider legally accountable for protecting PHI: how they'll safeguard it, what they'll do in a breach, and the fact that they can't use your data for anything else. Under HIPAA, you must have one signed before any patient information flows through the service.
Two practical traps to avoid. First, HIPAA is often a higher tier, not the default β eFax gates it behind its Protect plan, and Fax.Plus behind Enterprise, so the entry plan you signed up for may not be covered. Second, "self-attested" is not the same as audited. A provider can claim HIPAA on its homepage while offering the BAA only "on request" and publishing no SOC 2 or HITRUST report. For protected health information, insist on the signed BAA and look for an independent audit.
Where compliance quietly breaks: email-to-fax and free services
Email-to-fax is convenient and a common compliance hole. If you send PHI from an ordinary email account to a fax gateway, the email leg usually travels unencrypted before it ever becomes a fax β which fails HIPAA's transmission-security rule. When the document contains PHI, send it through the provider's secure web portal or app (the part your BAA actually covers), not plain email.
Free fax services never qualify. They don't sign BAAs and aren't built for HIPAA's encryption, access-control, and audit requirements. Free fax is great for a one-off, non-sensitive document β and a clear violation for anything with patient data in it.
Which online fax services are HIPAA-ready?
From the services in our 2026 ranking β and remember the BAA, not the badge, is what counts.
| Service | HIPAA | BAA | Notes |
|---|---|---|---|
| SRFax | Yes β incl. PHIPA | Every plan | Purpose-built for North American healthcare; signed BAA and free PGP encryption on every plan. |
| iFax | Plus plan & up | Plus plan & up | BAA from the Plus plan; SOC 2 + ISO 27001 on Pro. The Basic plan is send-only and not HIPAA. |
| Documo | All plans | Every plan, no extra charge | BAA bundled on all plans; SOC 2, with an API and portal built for EHR/EMR workflows. |
| eFax | Protect plan only | Protect plan (~$50/mo) | HITRUST certified, but HIPAA lives only on the Protect tier β the Plus and Pro plans are excluded. |
| Fax.Plus | Enterprise only | On request (Enterprise) | Our overall #1, with ISO 27001 + SOC 2 β but HIPAA and the BAA activate only on the Enterprise plan. |
| CocoFax | Self-attested | On request | Claims HIPAA but has no public SOC 2 / HITRUST audit and the BAA is on request β we don't recommend it for PHI. |
| FaxZero | No | None | Free service with no BAA β fine for non-sensitive faxes, never for protected health information. |
Plans and BAA terms change β always confirm the current BAA in writing before sending PHI. For the full breakdown, see our best HIPAA-compliant fax services guide.
A quick compliance checklist
- Get the BAA in writing before the first PHI fax β and keep a copy.
- Confirm you're on a HIPAA-eligible plan, not just the base tier.
- Use the secure portal or app for PHI, not plain email-to-fax.
- Give every user a unique login; turn on audit logging and auto log-off.
- Verify the destination number and use a cover sheet on every send.
- Never route PHI through a free or self-attested service.
This guide is general information, not legal advice. Your compliance obligations depend on your organization and how the service is configured β consult your privacy officer or counsel for your specific situation.
Frequently Asked Questions
Is fax HIPAA compliant?
Faxing PHI is allowed under HIPAA, but a fax is only compliant with the right safeguards. For online and cloud fax that means a signed BAA, encryption in transit and at rest, access controls and audit logs, and a breach-notification process. A free service, or cloud fax without a BAA, is not compliant.
Do I need a BAA to fax patient information?
Yes. Any online fax provider that transmits or stores PHI for you is a Business Associate, and HIPAA requires a signed Business Associate Agreement before you send a single patient document. No BAA means you can't use it for PHI.
Is traditional (analog) fax HIPAA compliant?
A fax machine over a phone line can carry PHI under HIPAA with reasonable safeguards β confirm the number, use a cover sheet, and keep the receiving machine secure. The risk with analog fax is physical exposure, not the transmission itself.
Is email-to-fax HIPAA compliant?
Only if the whole path is secured. Sending PHI from a regular email account to a fax gateway usually sends it over unencrypted email first, which fails HIPAA. Use the provider's secure portal or app β covered by your BAA β for anything with PHI.
Which online fax services are HIPAA compliant?
Services that sign a BAA and meet the safeguards include SRFax (BAA on every plan), iFax (Plus and up), Documo (all plans), eFax (Protect plan), and Fax.Plus on Enterprise. Free services like FaxZero never qualify, and self-attested claims without an audit β such as CocoFax β aren't a safe choice for PHI.
Can free fax services be HIPAA compliant?
No. Free online fax services don't sign BAAs and aren't built for HIPAA's encryption, access-control, and audit requirements. They're fine for non-sensitive documents, but never for protected health information.
Need a fax service you can actually use for PHI?
See which providers sign a BAA and pass our security checks in the 2026 HIPAA guide.