Is faxing PHI legal under HIPAA?

Yes. The HIPAA Privacy Rule explicitly permits faxing PHI for treatment, payment, and healthcare operations, provided reasonable safeguards are in place — including a signed BAA with any third-party fax vendor, encryption, and proper cover sheets. See [our complete HIPAA fax guide](/blog/hipaa-compliant-fax/).

What regulations beyond HIPAA apply to healthcare faxing?

Several laws extend beyond HIPAA: the HITECH Act strengthened breach notification and penalty tiers; the 21st Century Cures Act's information blocking rules can penalize fax-based barriers to data access; and the CMS Claims Attachments Final Rule (2026) mandates electronic channels for claims-supporting documents by May 2028. State laws like California's CMIA and Texas HB 300 add further requirements.

What happens if a fax is sent to the wrong number?

A misdirected fax containing PHI is an automatic HIPAA breach. The covered entity must notify the affected individual and HHS within 60 days. If 500 or more individuals are affected, media notification is also required. The receiving party should be instructed to destroy the misdirected document immediately.

Does a cloud fax provider need to sign a BAA?

Yes — without exception. Any vendor that transmits, stores, or processes PHI on your behalf is a Business Associate, and a signed BAA is legally required before any PHI is exchanged. Never assume a vendor that advertises "HIPAA-ready" has provided one; request and execute the BAA before use.

Will CMS phase out fax entirely?

For claims attachments, yes. The CMS Administrative Simplification Final Rule published in March 2026 requires covered entities to submit medical records, lab results, and clinical notes through standardized electronic channels by May 26, 2028 — effectively eliminating fax for that use case. Fax is expected to remain legal and in use for other healthcare communication types well beyond that date.

Fax Solutions for Healthcare: Beyond HIPAA Compliance

Healthcare organizations exchange over 9 billion fax pages annually — yet HIPAA is only the beginning of the compliance story. Discover the regulations, workflow standards, and technical features that make a fax solution truly healthcare-ready in 2026.

Frequently Asked Questions

Is faxing PHI legal under HIPAA?: Yes. The HIPAA Privacy Rule explicitly permits faxing PHI for treatment, payment, and healthcare operations, provided reasonable safeguards are in place — including a signed BAA with any third-party fax vendor, encryption, and proper cover sheets. See [our complete HIPAA fax guide](/blog/hipaa-compliant-fax/).
What regulations beyond HIPAA apply to healthcare faxing?: Several laws extend beyond HIPAA: the HITECH Act strengthened breach notification and penalty tiers; the 21st Century Cures Act's information blocking rules can penalize fax-based barriers to data access; and the CMS Claims Attachments Final Rule (2026) mandates electronic channels for claims-supporting documents by May 2028. State laws like California's CMIA and Texas HB 300 add further requirements.
What happens if a fax is sent to the wrong number?: A misdirected fax containing PHI is an automatic HIPAA breach. The covered entity must notify the affected individual and HHS within 60 days. If 500 or more individuals are affected, media notification is also required. The receiving party should be instructed to destroy the misdirected document immediately.
Does a cloud fax provider need to sign a BAA?: Yes — without exception. Any vendor that transmits, stores, or processes PHI on your behalf is a Business Associate, and a signed BAA is legally required before any PHI is exchanged. Never assume a vendor that advertises "HIPAA-ready" has provided one; request and execute the BAA before use.
Will CMS phase out fax entirely?: For claims attachments, yes. The CMS Administrative Simplification Final Rule published in March 2026 requires covered entities to submit medical records, lab results, and clinical notes through standardized electronic channels by May 26, 2028 — effectively eliminating fax for that use case. Fax is expected to remain legal and in use for other healthcare communication types well beyond that date.