What is a Business Associate Agreement (BAA) for fax?

A BAA is a legally required HIPAA contract between a covered entity (such as a healthcare provider) and any vendor that creates, receives, maintains, or transmits Protected Health Information (PHI) on their behalf. If your fax provider touches PHI, they are a Business Associate and a signed BAA is mandatory before you send a single patient record.

Do I need a BAA with my online fax service?

Yes. Any online fax service that transmits or stores PHI is considered a Business Associate under HIPAA. You must execute a signed BAA with them before using the service for patient data. Sending PHI without a BAA is a HIPAA violation regardless of encryption or other safeguards in place.

What happens if I fax PHI without a BAA?

Operating without a BAA is a HIPAA violation that can result in fines ranging from $141 to over $2.1 million per violation depending on culpability. The Office for Civil Rights (OCR) has levied multi-million dollar fines against healthcare organizations for exactly this failure.

What must a BAA include to satisfy HIPAA?

Under 45 CFR 164.504(e), a BAA must establish permitted uses and disclosures of PHI, require the business associate to implement appropriate safeguards, mandate breach notification within 60 days, require subcontractor BAA chains, grant the covered entity termination rights, and specify PHI return or destruction at contract end.

Does mFax Business offer a BAA?

Yes. mFax Business includes a signed Business Associate Agreement as part of its healthcare and enterprise plans. You can request it at [mFax.to/business](https://mfax.to/business/) before transmitting any PHI.

BAA for Fax: Why Every Healthcare Fax User Needs One

If your organization faxes Protected Health Information without a signed Business Associate Agreement, you are violating HIPAA — even if the fax is encrypted. Learn what a BAA is, what it must include, and how to get one from your fax provider before you send another patient record.

Frequently Asked Questions

What is a Business Associate Agreement (BAA) for fax?: A BAA is a legally required HIPAA contract between a covered entity (such as a healthcare provider) and any vendor that creates, receives, maintains, or transmits Protected Health Information (PHI) on their behalf. If your fax provider touches PHI, they are a Business Associate and a signed BAA is mandatory before you send a single patient record.
Do I need a BAA with my online fax service?: Yes. Any online fax service that transmits or stores PHI is considered a Business Associate under HIPAA. You must execute a signed BAA with them before using the service for patient data. Sending PHI without a BAA is a HIPAA violation regardless of encryption or other safeguards in place.
What happens if I fax PHI without a BAA?: Operating without a BAA is a HIPAA violation that can result in fines ranging from $141 to over $2.1 million per violation depending on culpability. The Office for Civil Rights (OCR) has levied multi-million dollar fines against healthcare organizations for exactly this failure.
What must a BAA include to satisfy HIPAA?: Under 45 CFR 164.504(e), a BAA must establish permitted uses and disclosures of PHI, require the business associate to implement appropriate safeguards, mandate breach notification within 60 days, require subcontractor BAA chains, grant the covered entity termination rights, and specify PHI return or destruction at contract end.
Does mFax Business offer a BAA?: Yes. mFax Business includes a signed Business Associate Agreement as part of its healthcare and enterprise plans. You can request it at [mFax.to/business](https://mfax.to/business/) before transmitting any PHI.