Is faxing PHI allowed under HIPAA?

Yes. HIPAA permits faxing protected health information for treatment, payment, and healthcare operations — as long as you apply reasonable administrative, physical, and technical safeguards. See our [complete HIPAA fax guide](/blog/hipaa-compliant-fax/) for details.

Do I need a BAA with my fax service provider?

Yes. Any third-party fax vendor that stores, transmits, or has access to PHI is a business associate under HIPAA. You must execute a signed BAA before sending the first fax.

What encryption does HIPAA require for faxing?

HIPAA requires TLS 1.2 or higher for data in transit and AES-256 (or equivalent) for data at rest. The 2026 proposed Security Rule makes encryption mandatory — no longer an addressable safeguard.

Are traditional fax machines HIPAA compliant?

Analog fax machines transmit over PSTN phone lines and are not subject to the HIPAA Security Rule's electronic safeguard requirements. However, you still need physical and administrative safeguards — secure placement, cover sheets, and access controls.

What happens if I fax PHI to the wrong number?

A misdirected fax containing PHI is a potential HIPAA breach. You must report it to your privacy officer, document the incident, and follow your organization's breach notification procedures. Penalties range from $141 to $2,134,831 per violation depending on the level of negligence.

HIPAA Fax Requirements: Encryption, BAA & Audit Trail Checklist

HIPAA doesn't ban faxing — but it demands specific safeguards before you send PHI. Here's every encryption, BAA, and audit trail requirement your practice must meet in 2026.

Frequently Asked Questions

Is faxing PHI allowed under HIPAA?: Yes. HIPAA permits faxing protected health information for treatment, payment, and healthcare operations — as long as you apply reasonable administrative, physical, and technical safeguards. See our [complete HIPAA fax guide](/blog/hipaa-compliant-fax/) for details.
Do I need a BAA with my fax service provider?: Yes. Any third-party fax vendor that stores, transmits, or has access to PHI is a business associate under HIPAA. You must execute a signed BAA before sending the first fax.
What encryption does HIPAA require for faxing?: HIPAA requires TLS 1.2 or higher for data in transit and AES-256 (or equivalent) for data at rest. The 2026 proposed Security Rule makes encryption mandatory — no longer an addressable safeguard.
Are traditional fax machines HIPAA compliant?: Analog fax machines transmit over PSTN phone lines and are not subject to the HIPAA Security Rule's electronic safeguard requirements. However, you still need physical and administrative safeguards — secure placement, cover sheets, and access controls.
What happens if I fax PHI to the wrong number?: A misdirected fax containing PHI is a potential HIPAA breach. You must report it to your privacy officer, document the incident, and follow your organization's breach notification procedures. Penalties range from $141 to $2,134,831 per violation depending on the level of negligence.