Encrypted Fax: How It Works, Pricing & Secure Alternatives

Encrypted fax uses TLS and AES-256 to protect your documents in transit and at rest — traditional fax machines offer none of this. Learn how fax encryption works, which services provide it, and how to send a secure fax today.

Encrypted Fax: How It Works, Pricing & Secure Alternatives

By Alexey Spasskiy · Published April 7, 2026 · Updated June 8, 2026 · 11 min read

Quick Answer: Traditional fax is not encrypted. Modern encrypted fax services protect your documents with TLS during transmission and AES-256 at rest — the same standards used by banks. mFax Business delivers HIPAA-ready encrypted faxing starting at about $9/mo (billed annually).


Encrypted fax is not a marketing buzzword — it's a specific technical capability that separates modern online fax services from the analog fax machines most people picture. When a healthcare clinic faxes patient records, or a law firm sends a signed contract, the question of whether that data is encrypted in transit matters enormously.

This guide explains exactly how fax encryption works, what the compliance standards require, and which services actually deliver it. By the end, you'll know whether your current fax setup is genuinely secure — and what to do if it isn't.

Most Fax Machines Are Not Encrypted

If your office uses a physical fax machine connected to a standard phone line, your transmissions travel as unencrypted audio tones across the Public Switched Telephone Network. Anyone with access to the line — or to the physical output tray — can read your documents.

Is Fax Encrypted by Default?

No — traditional fax is not encrypted by default. A standard fax machine converts your document into analog audio tones and transmits those tones over a phone line. There is no encryption layer on the Public Switched Telephone Network (PSTN). The signal travels in the clear.

That said, analog fax does have some inherent security properties worth understanding:

  • Point-to-point transmission — unlike email, a PSTN fax goes directly from sender to receiver without passing through intermediate servers. This limits the interception surface.
  • Specialized equipment required — intercepting a fax signal requires physical access to the phone line and equipment capable of decoding the fax tones. It's not trivially easy.
  • No persistent cloud copy — an analog fax that prints immediately leaves no digital trail by default.

These properties led to the historical assumption that "fax is secure." That assumption has aged poorly. VoIP infrastructure, where modern phone traffic increasingly routes, does not share these properties. A fax sent over a VoIP line may cross the public internet unencrypted unless the provider specifically implements T.38 over TLS or SIP/TLS.

Online fax services, by contrast, can implement genuine encryption. The question is whether a given service actually does — and to what standard.

For a deeper look at this topic, see our companion article Are Faxes Encrypted?


How Encrypted Fax Works

Encrypted fax services layer multiple security standards together. Understanding each layer helps you evaluate whether a provider's claims are meaningful.

TLS for Data in Transit

Transport Layer Security (TLS) is the same protocol that protects HTTPS web traffic. When you submit a document to an encrypted fax service, your connection to the service's servers is protected by TLS — typically TLS 1.2 or TLS 1.3.

TLS prevents eavesdropping and tampering during the transfer from your device to the fax provider's infrastructure. The minimum acceptable standard for HIPAA contexts is TLS 1.2. TLS 1.0 and 1.1 are deprecated and should not be accepted.

AES-256 for Data at Rest

Once your document reaches the provider's servers, it needs to be stored securely until it can be routed to the recipient. AES-256 (Advanced Encryption Standard, 256-bit key) is the industry benchmark for this — the same standard used by financial institutions and government agencies.

AES-256 is computationally infeasible to brute-force with current technology. A 256-bit key has more possible combinations than there are atoms in the observable universe.

T.38 Over SIP/TLS

When an online fax service actually transmits the fax to the recipient's phone line or fax machine, it often uses T.38 — the ITU standard for transmitting fax over IP networks in real time. T.38 can be carried over an unencrypted SIP connection (common in basic VoIP setups) or over SIP/TLS + SRTP, which encrypts the transmission end-to-end.

The distinction matters: a service can protect your upload with TLS and store your file with AES-256, but if the final-mile delivery uses unencrypted T.38, the document crosses the last segment in the clear.

Encryption LayerWhat It ProtectsStandard
TLS 1.2/1.3Upload from your device to fax serversTransport security
AES-256Documents stored on provider serversData at rest
SIP/TLS + SRTPFax delivery over VoIP infrastructureEnd-to-end VoIP
BAALegal accountability for PHI handlingHIPAA compliance

Why the Final Mile Matters

Many providers encrypt your upload and their storage but send the fax itself over unencrypted T.38. Ask any provider explicitly: "Is your T.38 transmission over SIP/TLS?" If they can't answer clearly, assume it is not.


Why Encrypted Fax Matters

Encryption isn't just a feature box to tick. These are the real-world scenarios where it protects your organization.

Healthcare — HIPAA Protected Health Information

Hospitals, clinics, insurers, and any entity handling Protected Health Information (PHI) under HIPAA must implement appropriate safeguards for every transmission method — including fax. An unencrypted fax of a patient record is a potential HIPAA violation with fines ranging from $100 to $50,000 per incident.

Legal — Attorney-Client Privilege

Law firms send contracts, court filings, and confidential client communications by fax regularly. Unencrypted transmission over VoIP infrastructure potentially waives privilege by exposing documents to third-party interception.

Finance — PCI-DSS

Organizations transmitting cardholder data must comply with PCI-DSS requirements, which mandate encryption for data in transit. Sending credit card authorizations or financial account information by unencrypted fax creates regulatory exposure.

Government — Sensitive Records

Federal agencies, state contractors, and defense suppliers handling controlled unclassified information (CUI) are required to use FIPS 140-2 validated encryption. Standard online fax services may not meet this bar — verify before use.


HIPAA and Encrypted Fax Requirements

HIPAA does not require end-to-end encryption for fax specifically — but it requires "appropriate safeguards" for all PHI transmissions. In practice, HHS guidance and industry consensus have established clear minimum standards.

The Technical Safeguards HIPAA Expects

  • TLS 1.2 minimum for data in transit — TLS 1.0 and 1.1 are considered insufficient
  • AES-256 for PHI stored at rest — on both your device and the provider's servers
  • Audit logs — who sent what, to whom, and when — retained for at least six years
  • Access controls — unique user logins, not shared credentials; multi-factor authentication preferred

The Business Associate Agreement (BAA)

This is the requirement most organizations miss. A BAA is a legally binding contract between you (the covered entity) and your fax provider (the business associate) that obligates them to protect PHI and report breaches.

No BAA = not HIPAA compliant, regardless of encryption quality.

A provider can use TLS 1.3 and AES-256 everywhere and still not be a compliant option if they won't sign a BAA. Get the BAA in writing before transmitting any PHI.

Common HIPAA Fax Mistake

Using a consumer fax app (even one with encryption) to send patient records. Consumer products typically do not offer BAAs. You need a business-tier plan from a provider willing to enter a formal BAA relationship.

For a complete guide to HIPAA fax requirements, see our HIPAA Compliant Fax guide.


Best Encrypted Fax Services Compared

Not all "secure fax" providers deliver the same level of protection. Here's how the leading services compare on encryption, compliance, and pricing.

ServiceEncryptionHIPAA / BAAStarting PriceBest For
mFax BusinessTLS 1.2+, AES-256✓ BAA availableFrom $9/moHealthcare, SMB, mobile-first
eFax CorporateTLS, AES-256✓ BAA availableFrom $18.95/moEnterprise, high-volume
RingCentral FaxTLS, AES-256✓ BAA availableFrom $22.99/moTeams with RingCentral UCaaS
Fax.Plus BusinessTLS 1.2+, AES-256✓ BAA availableFrom $19.99/moAPI integration, developers
DocumoTLS, AES-256✓ BAA availableFrom $25/moHealthcare-focused workflows

mFax Business

mFax Business is built for organizations that need encrypted faxing without the enterprise price tag. Documents are encrypted with AES-256 at rest and transmitted over TLS 1.2+ connections. BAAs are available on all business plans.

What sets mFax apart is its mobile-first architecture — your team can send and receive encrypted faxes from iOS or Android without a physical fax machine or desktop client. Virtual fax numbers, shared inboxes, and delivery confirmation come standard.

mFax uses usage-based pricing from about $9/mo — you build your own plan with a live calculator, dialing in the exact seats (1–35) and pages (200–5,000) you need and paying only for what you use ($3/seat + $4 per 100 pages), with no rigid fixed tiers.

eFax Corporate

eFax is one of the longest-running online fax services and handles enterprise-scale volume well. Their HIPAA-compliant tier includes BAA coverage, TLS encryption, and AES-256 storage. The interface is desktop-centric and less optimized for mobile than mFax.

Pricing starts around $18.95/month for basic plans, with corporate HIPAA plans priced higher.

RingCentral Fax

RingCentral Fax integrates tightly with the broader RingCentral UCaaS platform — ideal if your organization already uses RingCentral for phone and video. Encryption is TLS + AES-256, BAAs are available, and you get up to 1,500 fax pages per month on higher tiers.

The downside: standalone fax pricing at $22.99+/mo feels steep unless you're already in the RingCentral ecosystem.

Fax.Plus

Fax.Plus targets developers and businesses that need fax via API. Their encryption meets TLS 1.2+ and AES-256 standards, and they offer BAAs on business tiers. If you're building automated document workflows, their API is one of the cleaner implementations in the market.


How to Send an Encrypted Fax

Sending an encrypted fax is no more complex than sending an unencrypted one — the encryption happens automatically at the service layer. Here's the full process using mFax Business:

1

Choose a Service with Real Encryption

Confirm the provider uses TLS 1.2+ for transmission and AES-256 for storage. If you handle PHI, verify they will sign a BAA before you create an account. mFax Business checks all three boxes.

2

Create Your Account and Get a Fax Number

Sign up at mFax.to/business and select your plan. You'll receive a dedicated virtual fax number — this becomes your encrypted inbound and outbound fax address.

3

Prepare Your Document

Convert your document to PDF if it isn't already. For Word documents, use our free document converter. Multi-page documents can be combined using the merge PDF tool.

4

Upload and Address the Fax

In the mFax app or web dashboard, tap Send Fax. Upload your PDF, then enter the recipient's fax number in E.164 format (e.g., +1-212-555-0100). Add a cover sheet if required by your workflow.

5

Send and Save Your Receipt

Tap Send. The service transmits your document over a TLS-encrypted connection. You'll receive a delivery confirmation with timestamp — save this for your audit trail. The document is stored encrypted on mFax servers.

What Happens Behind the Scenes

When you hit Send, mFax encrypts the document with AES-256, transmits it to their secure infrastructure over TLS 1.3, and routes it to the recipient. The recipient's fax machine or online service receives it via the standard fax protocol — they don't need to be using an encrypted service themselves.


Encrypted Fax vs. Encrypted Email

Both encrypted fax and encrypted email protect documents in transit — but they work differently and suit different use cases.

FactorEncrypted FaxEncrypted Email (S/MIME / TLS)
Encryption in transitTLS between sender and providerTLS between each mail server hop
End-to-end encryptionVaries by providerOnly with S/MIME or PGP (rare)
Delivery confirmationYes — fax receipt with timestampNot guaranteed; delivery receipt is optional
HIPAA acceptanceWidely accepted in healthcareRequires specific configuration + BAA
Recipient requirementsRecipient just needs a fax numberRecipient needs compatible email client
Setup complexityNone — works with any fax numberS/MIME requires certificate exchange
Audit trailBuilt-in with timestamp + delivery logDepends on email platform

The practical difference: Email, even with TLS, passes through multiple mail transfer agents (MTAs) — each a potential interception point. A fax sent via an encrypted online service goes from your provider directly to the recipient's phone number. The routing is simpler and the delivery receipt is definitive.

For healthcare specifically, fax has decades of HIPAA precedent and workflow integration. Most EHR systems, insurance payers, and clinical workflows are built around fax numbers, not email addresses.

Our article on Is Fax Secure? covers the full comparison with email in more depth.


Encrypted Fax Security Checklist

Before trusting any provider with sensitive documents, verify these requirements are met:

  • ✓TLS 1.2 or higher: Confirmed for all data in transit between your device and the provider's servers.
  • ✓AES-256 at rest: Documents stored on provider infrastructure are encrypted with 256-bit AES, not 128-bit or weaker.
  • ✓BAA available: The provider will sign a Business Associate Agreement if you handle PHI under HIPAA.
  • ✓Audit logs: The service logs every send and receive event with timestamps, user ID, and fax number — retained for at least six years.
  • ✓Access controls: Unique logins per user; multi-factor authentication (MFA) available; no shared credentials.
  • ✓No free consumer plan for PHI: Use a business-tier plan with a signed BAA, not a personal free account.
  • ✓Deletion policy: Understand how long the provider retains your faxes and whether you can delete them on demand.

Fax Encryption Best Practices

Encryption at the service level is necessary but not sufficient. Your workflow and internal policies determine whether documents stay protected end-to-end.

Verify fax numbers before sending. The most common source of PHI exposure isn't interception — it's misdirected faxes sent to the wrong number. Double-check every recipient number, especially for healthcare documents. Our guide on HIPAA fax cover sheet requirements explains how to reduce misdirection risk with compliant cover sheets.

Train staff on encrypted fax workflows. A team member who prints and leaves a fax in the output tray has negated all your digital encryption. Physical security at the receiving end is as important as transport encryption.

Review retention policies. Encrypted fax services typically retain your documents on their servers for 30–365 days depending on the plan. For HIPAA compliance, you need retention for at least six years. Confirm your plan's retention period matches your compliance obligations.

Enable MFA. Multi-factor authentication prevents unauthorized account access — the most common way attackers gain access to stored fax records. Every user on your mFax Business account should have MFA enabled.

Audit regularly. Use the access logs your encrypted fax service provides to review who sent and received what. Look for unexpected activity — unusual sending volumes, off-hours access, or unknown fax numbers in your inbox.

For a comprehensive look at fax security beyond encryption, see Is Fax Still Secure? and our Is Fax Secure? Tips & Best Practices guide.


The Bottom Line on Encrypted Fax

Traditional fax machines are not encrypted. If your organization still relies on a physical fax machine connected to a PSTN or VoIP line without TLS, your documents are traveling in the clear.

Modern encrypted fax services — using TLS 1.2+, AES-256, and BAA agreements — close this gap entirely. For healthcare, legal, and financial organizations, the switch from physical fax to an encrypted online service isn't optional — it's a compliance requirement.

mFax Business gives your team encrypted faxing, HIPAA-ready infrastructure, and a dedicated virtual fax number starting at about $9/mo. No fax machine. No unencrypted phone line. No compliance risk.

For personal faxing, download the mFax app — send from your phone in under two minutes with the same secure infrastructure.

Frequently Asked Questions

Are faxes encrypted by default?
Traditional analog faxes sent over PSTN phone lines are NOT encrypted — they transmit as audible tones vulnerable to interception. Modern online fax services encrypt transmissions using TLS 1.2+ and store documents with AES-256 encryption. See our full breakdown in [Are Faxes Encrypted?](/blog/are-faxes-encrypted/)
What encryption standard does online fax use?
Reputable online fax services use TLS 1.2 or TLS 1.3 for data in transit and AES-256 for data at rest. Some support T.38 over SIP/TLS for real-time VoIP fax transmission, adding an extra layer of protection end-to-end.
Is encrypted fax HIPAA compliant?
Encrypted fax can meet HIPAA requirements when the service uses TLS 1.2+, AES-256 storage encryption, provides audit logs, and signs a Business Associate Agreement (BAA). The BAA is the critical legal requirement — without it, no fax service is HIPAA compliant regardless of encryption. See our [HIPAA compliant fax guide](/blog/hipaa-compliant-fax/).
How do I send an encrypted fax?
Use an online fax service that encrypts transmissions automatically. Sign up, upload your document (PDF, Word, image), enter the recipient fax number, and send. The service handles TLS encryption and AES-256 storage without any extra steps on your end.
Is encrypted fax safer than encrypted email?
Both offer strong protection when properly implemented. Encrypted fax creates a dedicated point-to-point delivery with a confirmed receipt, while even encrypted email routes through multiple servers. For healthcare, legal, and compliance contexts, encrypted fax is generally preferred.
Home Business Pricing Fax API Blog Document Converter Company
Terms of Service Privacy Policy