A HIPAA-compliant fax API lets health apps send and receive PHI by fax through code — but only with a signed BAA, encryption, and audit logging. Here's exactly what compliance requires and how to build it correctly.
Frequently Asked Questions
Is a fax API HIPAA compliant?
A fax API is HIPAA compliant only if the provider signs a Business Associate Agreement (BAA) and the service enforces TLS 1.2+ in transit, AES-256 at rest, audit logging, and access controls. The technology alone isn't enough — without a signed BAA, sending PHI through it is a violation. See our [HIPAA fax requirements](/blog/hipaa-fax-requirements/) checklist.
What is a BAA for a fax API?
A Business Associate Agreement (BAA) is a contract that makes your fax API provider legally responsible for protecting the PHI you transmit. HIPAA requires one with any vendor that handles protected health information. Some providers, like mFax, include it at no extra cost.
Do I need a BAA to send faxes containing PHI?
Yes. If your application transmits protected health information by fax, you must have a signed BAA with the fax API provider before sending a single page. Sending PHI without one is itself a HIPAA violation, regardless of how secure the technology is.
Which fax APIs are HIPAA compliant?
Providers that sign a BAA and meet the technical safeguards include mFax, Telnyx, Sinch/Phaxio, and Notifyre. Consumer or no-BAA services like Humble Fax are not suitable for PHI. Compare options in our [best HIPAA compliant fax services](/blog/best-hipaa-compliant-fax-services/) guide.
Is it legal to send patient records by fax API?
Yes — fax remains a HIPAA-accepted transmission method and is widely used in healthcare. The legality depends on safeguards: a signed BAA, encryption, access controls, and sending only to verified recipient numbers. See [how to fax medical records](/blog/how-to-fax-medical-records/).