be Smart.
be Secure.
Phone: 800-441-6612

HIPAA Faxing: How To Send and Receive FAXes in a Secure and Compliant Way

We have previously discussed how it may be OK according to HIPAA to send and receive FAXes with ePHI over standard analog phone lines.  See: Is a FAX document HIPAA-Secure?

However, we have observed that customers more and more wish to integrate FAXing with their computers, taking advantage of the “paper-free” office that is arriving most places.  Why should they have to print and manually fax things or receive FAXes on an old-fashioned FAX printer, when their computers have FAX capability?  Can that capability be used in a HIPAA-compliant way?

The answer is “Yes, you can”.  This article explains how and points out things to watch out for.

Getting Started: Use a HIPAA-Compliant FAXing Solution

You need to use an electronic FAXing service, such as eFax Corporate®, which provides HIPAA-compliant FAXing services.  Be sure that service you choose offers you a “Business Associate Agreement” as this is required by HIPAA HITECH (eFax Corporate® does offer this — but you have to explicitly ask them for it and they don’t mention it on their site).

Receipt of HIPAA Inbound FAXes Electronically

Inbound FAXes:

  1. Are sent by the FAX sender (not at your organization)
  2. Arrive to your “FAX” over regular analog phone lines.  This step does not have to be encrypted.
  3. Your “FAX” is a special computer at your Electronic FAX Service Provider where it is kept secure by their HIPAA compliance standards.
  4. Your FAX service provider delivers the FAX securely to you electronically:
    1. You pick it up by connecting to their secure web site and downloading it (over SSL), or
    2. They email it to you using TLS for transport encryption.

Picking up the Secure FAX at their web site will always be an easy and secure way to do things, presuming their website is secure (https://).

Having them forward the FAX to your email will only be HIPAA compliant IF:

  • Your email service supports TLS for inbound email delivery, and
  • Your email service itself is fully HIPAA compliant — most email service providers do not meet this criteria — providing secure, compliant service together with a signed Business Associate Agreement.

As far as “step #1” being HIPAA compliant, remember:

  • If the FAX is sent from a normal analog FAX line, it doesn’t have to be encrypted.
  • If the FAX is sent by someone who is not a Covered Entity or Business Associate of one (i.e. sent by an individual), then HIPAA does not apply to what they do
  • If the FAX IS sent by someone who is a Covered Entity or Business Associate of one and they are not using an analog FAX line, then it is their responsibility to ensure that they are sending the fax in a compliant way.

Sending Outbound HIPAA FAXes Electronically

If you would like to send a compliant FAX electronically (i.e. not by using your analog FAX machine), then you can either:

  1. Login to your Electronic FAX Service Provider’s website and send the FAX from there over an encrypted connection (SSL).
  2. Send the FAX from your email

As before, sending through their secure site will always work.  To send through your email, you would:

  • Compose the FAX in your email
  • Send the email to a special email address that contains the destination FAX number.  I.e. if you wanted to send a FAX to “1-800-888-9999” though eFax Corporate®, you might send an email to “”.
  • Your email email program would connect securely to your email servers to deliver the message there.
  • Your email servers would connect using TLS to eFax Corporate®’s email servers and deliver the message securely to them.
  • They would connect to the destination FAX system over analog phone lines.

In addition to needing secure connections between your computer and email provider, and your email provider needing to guarantee that TLS is used when delivering your FAX to your Electronic FAX Service Provider, HIPAA also requires that you have a Business Associate Agreement with your email provider and that your service with them meet HIPAA Security and Privacy standards.

Archival of FAXes

Folks interested in HIPAA compliance are often also in need of archival for things like email and FAXes.  By having your faxes come and go though your email system, you can take advantage of email archival services to also archival all of your FAXes.

In Summary:

  • Using an Electronic FAX company like eFax Corporate®, which provides HIPAA compliance is a good way to go.
  • Using their secure web portal is a quick and easy way to have HIPAA compliant FAXing, even if your email is not compliant.
  • You can send and receive secure FAXes with your email if your email is also HIPAA compliant.

Watch out though!

  • “Almost Compliant?” Many electronic FAXing companies (unlike eFax Corporate®) have not caught up all the way with the current HIPAA HITECH requirements.  I.e. while they may mention “HIPAA” they do not provide signed Business Associate Agreements and thus they probably do not follow all of the practices required for HIPAA, yet.  By using such a service, you will not actually be compliant yourself.
  • “Recipient Security:” When sending ePHI over FAX, that data typically ends up being transmitted over insecure analog phone lines and sitting in plain sight on some FAX machines.   While this itself is not exactly non-compliant, it is certainly in a gray area.  You should consider carefully if the lessening of security this affords is appropriate to your business and its compliance needs.  This is something you need to answer for yourself.

One Response to “HIPAA Faxing: How To Send and Receive FAXes in a Secure and Compliant Way”

  1. Is a FAX document HIPAA-Secure? | LuxSci FYI Says:

    […] Update – for electronic FAXing options, see: HIPAA Faxing: How to Send and Receive FAXes i na Secure and Compliant Way. […]

Leave a Comment

You must be logged in to post a comment.

• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries