Are Faxes Encrypted? What You Need to Know

Traditional fax machines transmit unencrypted signals—anyone with line access can intercept them. Online fax services protect your documents with TLS and AES-256, but only if you pick the right provider. Here's exactly how fax encryption works.

Are Faxes Encrypted? What You Need to Know

By Sarah Martinez · Published April 24, 2026 · Updated June 8, 2026 · 7 min read

The short answer: traditional faxes are not encrypted. When a standard fax machine sends a document, it converts it into unencrypted analog audio tones and pushes them across phone lines. Anyone who taps that line can intercept and decode your document—no specialized tools required.

Online fax services are different. Reputable providers encrypt documents in transit with TLS and at rest with AES-256. But "online fax" is a broad category—some services still route traffic without meaningful encryption, so the label alone doesn't guarantee protection.

This guide explains exactly how fax encryption works, where the vulnerabilities are, and how to verify that your fax service is actually protecting your documents before you send something sensitive.

Why Traditional Fax Has No Encryption

Traditional fax machines connect to the Public Switched Telephone Network (PSTN) and convert your document into a series of audio tones—essentially a sequence of beeps representing light and dark pixels. Those tones travel as electrical signals through phone lines from your machine to the recipient's.

There is no encryption anywhere in this process. The signal carries your document in an open, decodable form. Three vulnerabilities follow directly from this:

Phone line interception. Anyone with physical access to your phone infrastructure—inside a building, at a junction box, or along a shared telephone line—can tap the line, capture the signal, and reconstruct your document. This requires physical presence, which makes it less likely than an email breach, but not impossible in high-value targets.

The unattended print tray. Fax machines print received documents immediately. If the machine sits in a shared office, reception area, or hallway, anyone walking by can read your fax before the intended recipient collects it. This remains one of the most common ways sensitive faxed documents are exposed.

Hardware-level exploits. In 2018, Check Point Security researchers demonstrated the "Faxploit" attack—by sending a single malicious fax to a standard HP printer with fax capability, they were able to compromise the printer's firmware and gain access to the connected corporate network. The vulnerability stemmed from the complete absence of security validation in the fax protocol stack.

VoIP fax systems aren't automatically safer. Many businesses now route fax over IP using the T.38 protocol. T.38's default transport (UDPTL) provides no encryption—fax packets travel in the clear across IP networks unless TLS or SRTP is explicitly layered on top.

No Encryption Means No Defense

Traditional fax has no firewall, no encryption, and no access control. When Check Point researchers demonstrated the Faxploit attack in 2018, their entry point was a standard publicly listed fax number. The attack required no physical access and no credentials—just a phone call to the fax line.

How Online Fax Encryption Works

Modern online fax services use two encryption layers—one for the document in motion, one for the document at rest.

TLS (Transport Layer Security) — in transit

TLS encrypts your document as it travels from your device to the fax provider's servers, and from those servers to the recipient. TLS 1.3—the current standard—creates an encrypted tunnel that cannot be read even if the network traffic is captured. It's the same technology that protects online banking and healthcare portals. In 2026, any fax service that only offers SSL or TLS 1.0 should be treated as a security liability.

AES-256 — at rest

Once a fax lands on the provider's servers, AES-256 protects it during storage. AES-256 uses a 256-bit key; the number of possible combinations exceeds the estimated atoms in the observable universe. Brute-force attacks against AES-256 are not feasible with any current technology.

Together, these two layers address the two main failure points of traditional fax. As our complete guide to online fax security explains, a properly configured online fax service is meaningfully more secure than both traditional fax and standard email—which often travels unencrypted across multiple servers.

Security LayerTraditional FaxOnline Fax (reputable provider)
Data in transitNone — open analog signalTLS 1.3 encrypted tunnel
Data at restNone — printed paperAES-256 encrypted storage
Access controlsNoneUser authentication + 2FA
Audit trailNoneFull transmission log
Physical interceptionHigh riskLow risk
Hardware exploit surfaceFax machine firmwareHardened cloud infrastructure

TLS 1.3 vs. TLS 1.2

TLS 1.3 removes several cryptographic options that were weaknesses in TLS 1.2 and reduces connection setup time. In 2026, TLS 1.3 is the benchmark. TLS 1.2 is still acceptable—anything older (TLS 1.0, TLS 1.1, SSL) is deprecated and considered a security risk by NIST.

What HIPAA Requires for Fax Encryption

For healthcare organizations, fax encryption is a regulatory matter. HIPAA's Security Rule requires "reasonable and appropriate" technical safeguards for Protected Health Information (PHI) in transit and at rest.

Historically, encryption was listed as an "addressable" implementation specification—meaning covered entities had to either implement it or document a rationale for an equivalent alternative. In practice, regulators have always expected encryption for PHI sent electronically.

2026 update: The HHS proposed HIPAA Security Rule modernization would reclassify encryption as a required specification—no longer addressable. Under this proposal, transmitting unencrypted PHI by any electronic method, including fax, would constitute a direct violation.

For a deeper look at all five requirements, see whether faxing is HIPAA compliant and the HIPAA fax requirements checklist.

The five technical requirements for HIPAA-compliant faxing are:

  1. Encryption in transit — TLS 1.2 or higher for any PHI sent electronically
  2. Encryption at rest — AES-256 or equivalent for stored faxes on provider servers
  3. Access controls — unique user IDs, role-based permissions, automatic session timeout
  4. Audit logs — a timestamped record of every fax sent, received, and accessed
  5. Business Associate Agreement (BAA) — a signed contract making the fax service provider legally responsible for HIPAA compliance

The BAA is non-negotiable. Without a signed BAA with your fax service, you are in violation of HIPAA even if the encryption is perfect. Penalties run from $145 per violation at the lowest tier to over $2.1 million per violation for willful neglect.

Traditional Fax Cannot Meet 2026 HIPAA Requirements

Analog fax machines offer no encryption, no access controls, no audit logs, and no BAA. Under the proposed 2026 Security Rule, using a traditional fax machine to send PHI would be a direct, documentable HIPAA violation with no acceptable alternative justification.

How to Verify Your Fax Service Is Encrypted

Not every online fax service is transparent about its encryption standards. Before trusting any service with sensitive documents, check these signals:

Look for explicit encryption documentation. A trustworthy provider names the exact protocols in use—"TLS 1.3 in transit, AES-256 at rest"—not just "secure" or "encrypted." If the security page uses vague language without specifics, the encryption may be equally vague.

Confirm BAA availability. If you handle PHI, the provider must offer a signed BAA. Ask before you sign up. Some providers make the BAA available on all plans; others limit it to enterprise tiers.

Check for third-party security certifications. SOC 2 Type II, ISO 27001, and HITRUST audits mean an independent auditor has verified the provider's security controls. These certifications require annual renewal, so check that the certification is current.

Test two-factor authentication. Encryption protects data in transit and at rest. 2FA protects your account from unauthorized access. Both are necessary; neither substitutes for the other.

Review the privacy policy for data retention. Some fax services store your documents indefinitely on their servers. Know how long your faxes are retained and whether you can delete them.

Best Practices for Sending Encrypted Faxes

Choosing an encrypted fax service is the foundation. These practices complete the security chain:

1

Verify the recipient's fax number

A misdirected fax is just as damaging as an intercepted one. Call ahead to confirm the number before sending PHI or financial documents. Our guide to faxing PHI securely recommends this step for every sensitive transmission.

2

Use a confidentiality notice on the cover sheet

For healthcare documents, include a HIPAA confidentiality notice on the cover page. This doesn't add encryption—but it creates a legal record that the document contains PHI and shouldn't be read by unintended recipients.

3

Enable two-factor authentication

Activate 2FA on your fax account. If your credentials are ever compromised, 2FA prevents unauthorized access to your received faxes and transmission history.

4

Review the audit log after sending

Check the delivery confirmation after each sensitive fax. If you're subject to a HIPAA audit, the transmission log is your documentation of compliance. Save confirmations for any fax containing PHI.

5

Encrypt local storage for downloaded faxes

If you download received faxes to your device, ensure local storage is encrypted. On macOS, enable FileVault. On Windows, enable BitLocker. A fax encrypted in transit and at rest loses all protection the moment it's saved to an unencrypted local drive.

Send Encrypted Faxes with mFax Business

mFax Business is built for teams that handle sensitive documents daily. Every transmission uses TLS 1.3 in transit and AES-256 at rest—the encryption standards required by HIPAA, GLBA, and similar compliance frameworks.

For healthcare, legal, and insurance teams, mFax Business includes:

  • HIPAA-ready infrastructure — encryption, access controls, and transmission logs meet the 2026 Security Rule requirements
  • BAA on request — legally establishes mFax as your Business Associate
  • Team accounts with role-based access — only authorized staff can send, receive, or view faxes
  • Delivery receipts — every fax generates a timestamped confirmation for your audit trail
  • Virtual fax numbers — dedicated fax lines with no physical hardware required

Plans start at about $9/mo (billed annually). Pricing is usage-based, not fixed tiers — you build your own plan with a live calculator, choosing the exact seats and pages your team needs and paying only for what you use. For personal faxing without compliance requirements, the mFax app also encrypts every transmission with TLS.

Start with mFax Business — encrypted, HIPAA-ready faxing from about $9/mo.

Frequently Asked Questions

Are traditional fax machines encrypted?
No. Traditional fax machines transmit documents as unencrypted analog audio signals over phone lines. There is no encryption at any point in the process—anyone with physical access to the phone line can intercept and decode your fax.
Can a fax be intercepted or hacked?
Yes. Traditional faxes can be intercepted via a phone line tap, read from an unattended print tray, or exploited through hardware vulnerabilities (like the 2018 Faxploit attack). Online fax services using TLS 1.3 and AES-256 are substantially harder to intercept.
What encryption does a HIPAA-compliant fax service use?
HIPAA-compliant fax services use TLS 1.2 or higher for data in transit and AES-256 for data at rest. They also provide access controls, audit logs, and a signed Business Associate Agreement (BAA). All of these are required—not optional—under the 2026 proposed HIPAA Security Rule.
Is online fax more secure than email?
Yes, when using a reputable encrypted fax service. Standard email often travels unencrypted across multiple servers. Online fax services like mFax Business create a direct, TLS-encrypted connection with AES-256 storage—making them a safer channel for sensitive documents.
Does mFax encrypt my faxes?
Yes. mFax uses TLS 1.3 for data in transit and AES-256 for data at rest on every transmission. mFax Business also provides a signed Business Associate Agreement (BAA) for healthcare and compliance use cases, making it suitable for sending PHI.
Home Business Pricing Fax API Blog Document Converter Company
Terms of Service Privacy Policy