Is faxing PHI a HIPAA violation?

Faxing PHI is not automatically a violation. HIPAA permits faxing for treatment, payment, and healthcare operations as long as reasonable safeguards — encryption, verified recipients, cover sheets, and audit trails — are in place. See our [HIPAA fax requirements checklist](/blog/hipaa-fax-requirements/) for the full list.

Can you fax PHI without patient consent?

Yes, for treatment purposes. The HIPAA Privacy Rule allows covered entities to share PHI via fax for treatment, payment, and healthcare operations without written patient authorization. However, the minimum necessary standard applies — send only the information needed.

What happens if you fax PHI to the wrong number?

A misdirected fax containing PHI is a potential breach. You must document the incident, contact the unintended recipient to request destruction of the fax, and assess whether breach notification is required under the HIPAA Breach Notification Rule. Penalties range from $141 to over $2 million per violation.

Is faxing more secure than email for sending PHI?

Traditional fax is a point-to-point transmission that doesn't store data on intermediate servers, making it harder to intercept than unencrypted email. However, cloud-based fax services with TLS encryption offer the best of both worlds — digital convenience with end-to-end security. Learn more in our guide to [online fax security](/blog/is-online-fax-secure/).

Do you need a BAA to fax PHI through an online service?

Yes. Any third-party fax service that transmits, stores, or processes PHI on your behalf is a business associate under HIPAA. You must have a signed Business Associate Agreement (BAA) before sending your first fax.

Faxing PHI: How to Send Protected Health Information Safely

Faxing protected health information (PHI) is legal under HIPAA — but only with the right safeguards. Learn the administrative, technical, and physical controls your practice needs, plus how to avoid costly misdirected-fax breaches.

Frequently Asked Questions

Is faxing PHI a HIPAA violation?: Faxing PHI is not automatically a violation. HIPAA permits faxing for treatment, payment, and healthcare operations as long as reasonable safeguards — encryption, verified recipients, cover sheets, and audit trails — are in place. See our [HIPAA fax requirements checklist](/blog/hipaa-fax-requirements/) for the full list.
Can you fax PHI without patient consent?: Yes, for treatment purposes. The HIPAA Privacy Rule allows covered entities to share PHI via fax for treatment, payment, and healthcare operations without written patient authorization. However, the minimum necessary standard applies — send only the information needed.
What happens if you fax PHI to the wrong number?: A misdirected fax containing PHI is a potential breach. You must document the incident, contact the unintended recipient to request destruction of the fax, and assess whether breach notification is required under the HIPAA Breach Notification Rule. Penalties range from $141 to over $2 million per violation.
Is faxing more secure than email for sending PHI?: Traditional fax is a point-to-point transmission that doesn't store data on intermediate servers, making it harder to intercept than unencrypted email. However, cloud-based fax services with TLS encryption offer the best of both worlds — digital convenience with end-to-end security. Learn more in our guide to [online fax security](/blog/is-online-fax-secure/).
Do you need a BAA to fax PHI through an online service?: Yes. Any third-party fax service that transmits, stores, or processes PHI on your behalf is a business associate under HIPAA. You must have a signed Business Associate Agreement (BAA) before sending your first fax.