By Alexey Spasskiy · Published April 7, 2026 · Updated June 8, 2026 · 11 min read
Quick Answer: Traditional fax is not encrypted. Modern encrypted fax services protect your documents with TLS during transmission and AES-256 at rest — the same standards used by banks. mFax Business delivers HIPAA-ready encrypted faxing starting at about $9/mo (billed annually).
Encrypted fax is not a marketing buzzword — it's a specific technical capability that separates modern online fax services from the analog fax machines most people picture. When a healthcare clinic faxes patient records, or a law firm sends a signed contract, the question of whether that data is encrypted in transit matters enormously.
This guide explains exactly how fax encryption works, what the compliance standards require, and which services actually deliver it. By the end, you'll know whether your current fax setup is genuinely secure — and what to do if it isn't.
Most Fax Machines Are Not Encrypted
If your office uses a physical fax machine connected to a standard phone line, your transmissions travel as unencrypted audio tones across the Public Switched Telephone Network. Anyone with access to the line — or to the physical output tray — can read your documents.
Is Fax Encrypted by Default?
No — traditional fax is not encrypted by default. A standard fax machine converts your document into analog audio tones and transmits those tones over a phone line. There is no encryption layer on the Public Switched Telephone Network (PSTN). The signal travels in the clear.
That said, analog fax does have some inherent security properties worth understanding:
- Point-to-point transmission — unlike email, a PSTN fax goes directly from sender to receiver without passing through intermediate servers. This limits the interception surface.
- Specialized equipment required — intercepting a fax signal requires physical access to the phone line and equipment capable of decoding the fax tones. It's not trivially easy.
- No persistent cloud copy — an analog fax that prints immediately leaves no digital trail by default.
These properties led to the historical assumption that "fax is secure." That assumption has aged poorly. VoIP infrastructure, where modern phone traffic increasingly routes, does not share these properties. A fax sent over a VoIP line may cross the public internet unencrypted unless the provider specifically implements T.38 over TLS or SIP/TLS.
Online fax services, by contrast, can implement genuine encryption. The question is whether a given service actually does — and to what standard.
For a deeper look at this topic, see our companion article Are Faxes Encrypted?
How Encrypted Fax Works
Encrypted fax services layer multiple security standards together. Understanding each layer helps you evaluate whether a provider's claims are meaningful.
TLS for Data in Transit
Transport Layer Security (TLS) is the same protocol that protects HTTPS web traffic. When you submit a document to an encrypted fax service, your connection to the service's servers is protected by TLS — typically TLS 1.2 or TLS 1.3.
TLS prevents eavesdropping and tampering during the transfer from your device to the fax provider's infrastructure. The minimum acceptable standard for HIPAA contexts is TLS 1.2. TLS 1.0 and 1.1 are deprecated and should not be accepted.
AES-256 for Data at Rest
Once your document reaches the provider's servers, it needs to be stored securely until it can be routed to the recipient. AES-256 (Advanced Encryption Standard, 256-bit key) is the industry benchmark for this — the same standard used by financial institutions and government agencies.
AES-256 is computationally infeasible to brute-force with current technology. A 256-bit key has more possible combinations than there are atoms in the observable universe.
T.38 Over SIP/TLS
When an online fax service actually transmits the fax to the recipient's phone line or fax machine, it often uses T.38 — the ITU standard for transmitting fax over IP networks in real time. T.38 can be carried over an unencrypted SIP connection (common in basic VoIP setups) or over SIP/TLS + SRTP, which encrypts the transmission end-to-end.
The distinction matters: a service can protect your upload with TLS and store your file with AES-256, but if the final-mile delivery uses unencrypted T.38, the document crosses the last segment in the clear.
| Encryption Layer | What It Protects | Standard |
|---|---|---|
| TLS 1.2/1.3 | Upload from your device to fax servers | Transport security |
| AES-256 | Documents stored on provider servers | Data at rest |
| SIP/TLS + SRTP | Fax delivery over VoIP infrastructure | End-to-end VoIP |
| BAA | Legal accountability for PHI handling | HIPAA compliance |
Why the Final Mile Matters
Many providers encrypt your upload and their storage but send the fax itself over unencrypted T.38. Ask any provider explicitly: "Is your T.38 transmission over SIP/TLS?" If they can't answer clearly, assume it is not.
Why Encrypted Fax Matters
Encryption isn't just a feature box to tick. These are the real-world scenarios where it protects your organization.
Healthcare — HIPAA Protected Health Information
Hospitals, clinics, insurers, and any entity handling Protected Health Information (PHI) under HIPAA must implement appropriate safeguards for every transmission method — including fax. An unencrypted fax of a patient record is a potential HIPAA violation with fines ranging from $100 to $50,000 per incident.
Legal — Attorney-Client Privilege
Law firms send contracts, court filings, and confidential client communications by fax regularly. Unencrypted transmission over VoIP infrastructure potentially waives privilege by exposing documents to third-party interception.
Finance — PCI-DSS
Organizations transmitting cardholder data must comply with PCI-DSS requirements, which mandate encryption for data in transit. Sending credit card authorizations or financial account information by unencrypted fax creates regulatory exposure.
Government — Sensitive Records
Federal agencies, state contractors, and defense suppliers handling controlled unclassified information (CUI) are required to use FIPS 140-2 validated encryption. Standard online fax services may not meet this bar — verify before use.
HIPAA and Encrypted Fax Requirements
HIPAA does not require end-to-end encryption for fax specifically — but it requires "appropriate safeguards" for all PHI transmissions. In practice, HHS guidance and industry consensus have established clear minimum standards.
The Technical Safeguards HIPAA Expects
- TLS 1.2 minimum for data in transit — TLS 1.0 and 1.1 are considered insufficient
- AES-256 for PHI stored at rest — on both your device and the provider's servers
- Audit logs — who sent what, to whom, and when — retained for at least six years
- Access controls — unique user logins, not shared credentials; multi-factor authentication preferred
The Business Associate Agreement (BAA)
This is the requirement most organizations miss. A BAA is a legally binding contract between you (the covered entity) and your fax provider (the business associate) that obligates them to protect PHI and report breaches.
No BAA = not HIPAA compliant, regardless of encryption quality.
A provider can use TLS 1.3 and AES-256 everywhere and still not be a compliant option if they won't sign a BAA. Get the BAA in writing before transmitting any PHI.
Common HIPAA Fax Mistake
Using a consumer fax app (even one with encryption) to send patient records. Consumer products typically do not offer BAAs. You need a business-tier plan from a provider willing to enter a formal BAA relationship.
For a complete guide to HIPAA fax requirements, see our HIPAA Compliant Fax guide.
Best Encrypted Fax Services Compared
Not all "secure fax" providers deliver the same level of protection. Here's how the leading services compare on encryption, compliance, and pricing.
| Service | Encryption | HIPAA / BAA | Starting Price | Best For |
|---|---|---|---|---|
| mFax Business | TLS 1.2+, AES-256 | ✓ BAA available | From $9/mo | Healthcare, SMB, mobile-first |
| eFax Corporate | TLS, AES-256 | ✓ BAA available | From $18.95/mo | Enterprise, high-volume |
| RingCentral Fax | TLS, AES-256 | ✓ BAA available | From $22.99/mo | Teams with RingCentral UCaaS |
| Fax.Plus Business | TLS 1.2+, AES-256 | ✓ BAA available | From $19.99/mo | API integration, developers |
| Documo | TLS, AES-256 | ✓ BAA available | From $25/mo | Healthcare-focused workflows |
mFax Business
mFax Business is built for organizations that need encrypted faxing without the enterprise price tag. Documents are encrypted with AES-256 at rest and transmitted over TLS 1.2+ connections. BAAs are available on all business plans.
What sets mFax apart is its mobile-first architecture — your team can send and receive encrypted faxes from iOS or Android without a physical fax machine or desktop client. Virtual fax numbers, shared inboxes, and delivery confirmation come standard.
mFax uses usage-based pricing from about $9/mo — you build your own plan with a live calculator, dialing in the exact seats (1–35) and pages (200–5,000) you need and paying only for what you use ($3/seat + $4 per 100 pages), with no rigid fixed tiers.
eFax Corporate
eFax is one of the longest-running online fax services and handles enterprise-scale volume well. Their HIPAA-compliant tier includes BAA coverage, TLS encryption, and AES-256 storage. The interface is desktop-centric and less optimized for mobile than mFax.
Pricing starts around $18.95/month for basic plans, with corporate HIPAA plans priced higher.
RingCentral Fax
RingCentral Fax integrates tightly with the broader RingCentral UCaaS platform — ideal if your organization already uses RingCentral for phone and video. Encryption is TLS + AES-256, BAAs are available, and you get up to 1,500 fax pages per month on higher tiers.
The downside: standalone fax pricing at $22.99+/mo feels steep unless you're already in the RingCentral ecosystem.
Fax.Plus
Fax.Plus targets developers and businesses that need fax via API. Their encryption meets TLS 1.2+ and AES-256 standards, and they offer BAAs on business tiers. If you're building automated document workflows, their API is one of the cleaner implementations in the market.
How to Send an Encrypted Fax
Sending an encrypted fax is no more complex than sending an unencrypted one — the encryption happens automatically at the service layer. Here's the full process using mFax Business:
Choose a Service with Real Encryption
Confirm the provider uses TLS 1.2+ for transmission and AES-256 for storage. If you handle PHI, verify they will sign a BAA before you create an account. mFax Business checks all three boxes.
Create Your Account and Get a Fax Number
Sign up at mFax.to/business and select your plan. You'll receive a dedicated virtual fax number — this becomes your encrypted inbound and outbound fax address.
Prepare Your Document
Convert your document to PDF if it isn't already. For Word documents, use our free document converter. Multi-page documents can be combined using the merge PDF tool.
Upload and Address the Fax
In the mFax app or web dashboard, tap Send Fax. Upload your PDF, then enter the recipient's fax number in E.164 format (e.g., +1-212-555-0100). Add a cover sheet if required by your workflow.
Send and Save Your Receipt
Tap Send. The service transmits your document over a TLS-encrypted connection. You'll receive a delivery confirmation with timestamp — save this for your audit trail. The document is stored encrypted on mFax servers.
What Happens Behind the Scenes
When you hit Send, mFax encrypts the document with AES-256, transmits it to their secure infrastructure over TLS 1.3, and routes it to the recipient. The recipient's fax machine or online service receives it via the standard fax protocol — they don't need to be using an encrypted service themselves.
Encrypted Fax vs. Encrypted Email
Both encrypted fax and encrypted email protect documents in transit — but they work differently and suit different use cases.
| Factor | Encrypted Fax | Encrypted Email (S/MIME / TLS) |
|---|---|---|
| Encryption in transit | TLS between sender and provider | TLS between each mail server hop |
| End-to-end encryption | Varies by provider | Only with S/MIME or PGP (rare) |
| Delivery confirmation | Yes — fax receipt with timestamp | Not guaranteed; delivery receipt is optional |
| HIPAA acceptance | Widely accepted in healthcare | Requires specific configuration + BAA |
| Recipient requirements | Recipient just needs a fax number | Recipient needs compatible email client |
| Setup complexity | None — works with any fax number | S/MIME requires certificate exchange |
| Audit trail | Built-in with timestamp + delivery log | Depends on email platform |
The practical difference: Email, even with TLS, passes through multiple mail transfer agents (MTAs) — each a potential interception point. A fax sent via an encrypted online service goes from your provider directly to the recipient's phone number. The routing is simpler and the delivery receipt is definitive.
For healthcare specifically, fax has decades of HIPAA precedent and workflow integration. Most EHR systems, insurance payers, and clinical workflows are built around fax numbers, not email addresses.
Our article on Is Fax Secure? covers the full comparison with email in more depth.
Encrypted Fax Security Checklist
Before trusting any provider with sensitive documents, verify these requirements are met:
- ✓TLS 1.2 or higher: Confirmed for all data in transit between your device and the provider's servers.
- ✓AES-256 at rest: Documents stored on provider infrastructure are encrypted with 256-bit AES, not 128-bit or weaker.
- ✓BAA available: The provider will sign a Business Associate Agreement if you handle PHI under HIPAA.
- ✓Audit logs: The service logs every send and receive event with timestamps, user ID, and fax number — retained for at least six years.
- ✓Access controls: Unique logins per user; multi-factor authentication (MFA) available; no shared credentials.
- ✓No free consumer plan for PHI: Use a business-tier plan with a signed BAA, not a personal free account.
- ✓Deletion policy: Understand how long the provider retains your faxes and whether you can delete them on demand.
Fax Encryption Best Practices
Encryption at the service level is necessary but not sufficient. Your workflow and internal policies determine whether documents stay protected end-to-end.
Verify fax numbers before sending. The most common source of PHI exposure isn't interception — it's misdirected faxes sent to the wrong number. Double-check every recipient number, especially for healthcare documents. Our guide on HIPAA fax cover sheet requirements explains how to reduce misdirection risk with compliant cover sheets.
Train staff on encrypted fax workflows. A team member who prints and leaves a fax in the output tray has negated all your digital encryption. Physical security at the receiving end is as important as transport encryption.
Review retention policies. Encrypted fax services typically retain your documents on their servers for 30–365 days depending on the plan. For HIPAA compliance, you need retention for at least six years. Confirm your plan's retention period matches your compliance obligations.
Enable MFA. Multi-factor authentication prevents unauthorized account access — the most common way attackers gain access to stored fax records. Every user on your mFax Business account should have MFA enabled.
Audit regularly. Use the access logs your encrypted fax service provides to review who sent and received what. Look for unexpected activity — unusual sending volumes, off-hours access, or unknown fax numbers in your inbox.
For a comprehensive look at fax security beyond encryption, see Is Fax Still Secure? and our Is Fax Secure? Tips & Best Practices guide.
The Bottom Line on Encrypted Fax
Traditional fax machines are not encrypted. If your organization still relies on a physical fax machine connected to a PSTN or VoIP line without TLS, your documents are traveling in the clear.
Modern encrypted fax services — using TLS 1.2+, AES-256, and BAA agreements — close this gap entirely. For healthcare, legal, and financial organizations, the switch from physical fax to an encrypted online service isn't optional — it's a compliance requirement.
mFax Business gives your team encrypted faxing, HIPAA-ready infrastructure, and a dedicated virtual fax number starting at about $9/mo. No fax machine. No unencrypted phone line. No compliance risk.
For personal faxing, download the mFax app — send from your phone in under two minutes with the same secure infrastructure.