What Is a Secure Fax? Definition, Features & How to Send One

A secure fax encrypts your documents in transit and at rest, adds access controls, and maintains an audit trail — protecting sensitive data that ordinary fax or email leaves exposed. Here's exactly what that means and how to send one.

What Is a Secure Fax? Definition, Features & How to Send One

By Sarah Martinez · Published April 19, 2026 · Updated June 8, 2026 · 5 min read

Not all faxes are created equal. When your doctor's office faxes lab results, or a law firm transmits a signed contract, the word "fax" doesn't automatically mean "safe." A secure fax is a specific category of fax service that enforces encryption, access controls, and compliance — turning an ordinary transmission into one that stands up to HIPAA auditors, legal discovery, and data breach scrutiny.

This guide explains exactly what a secure fax is, how it works, and how to know whether a service actually delivers on that promise — or just claims to.

What Makes a Fax "Secure"?

A secure fax is a digital document transmission that protects sensitive information through three technical layers: encryption in transit, encryption at rest, and access controls with an audit trail. If any one layer is missing, the service isn't truly secure — regardless of the marketing language.

Encryption in Transit: TLS 1.3

When your document travels from your device to the recipient, it crosses the public internet. Without encryption, anyone on that path — an ISP, a compromised router, a man-in-the-middle attack — can read it.

Secure fax services use Transport Layer Security (TLS 1.3), the same protocol that protects online banking. The document is encrypted into unreadable ciphertext before it leaves your account. Only the recipient's fax endpoint can decrypt it. Anything below TLS 1.2 is considered outdated and potentially vulnerable.

Encryption at Rest: AES-256

Once your document arrives and is stored, it faces a second risk: server breaches. AES-256 is the gold standard for data at rest — a 256-bit key applied across 14 encryption rounds. Even if a server is compromised, the files are unreadable without the decryption key.

A service that encrypts in transit but stores documents as plain files on disk is only half-secure.

Access Controls, Authentication & Audit Trails

Encryption protects the data itself. Access controls protect who can reach it. In a secure fax system:

  • Multi-factor authentication (MFA) — logins require more than a password
  • Role-based access — administrators control which users can send, receive, or view specific faxes
  • Immutable audit logs — every transmission is timestamped with sender, recipient, page count, and delivery status; logs cannot be altered
  • Delivery confirmation — cryptographic receipts prove the document was received

This combination is what makes a fax usable as legal evidence and required under regulations like HIPAA.

Why This Matters for HIPAA

HIPAA's Security Rule requires covered entities to implement "technical security measures to guard against unauthorized access" to Protected Health Information (PHI). A fax service that doesn't offer TLS + AES-256 + a Business Associate Agreement cannot be used for PHI — full stop. Read the full checklist in our HIPAA fax requirements guide.

Secure Fax vs. Regular Online Fax vs. Traditional Fax

Not all fax options are equivalent. Here's how the three categories compare across the dimensions that matter for compliance:

DimensionTraditional Fax MachineRegular Online FaxSecure Fax Service
Encryption in transitNone (analog PSTN signal)Variable — often TLS, not guaranteedTLS 1.2/1.3 enforced
Encryption at restNone (paper in tray)VariableAES-256 mandatory
Audit trailMachine log only (limited)Basic send/receiveFull immutable log
Access controlsPhysical access onlyPassword loginMFA + role-based
HIPAA compliancePossible with physical safeguardsUsually not certifiedCertified; BAA available
Physical exposure riskHigh — documents sit in open trayNoneNone
Cost (approx.)$100–500 hardware + $20–50/mo line~$5–20/mo~$15–30/mo
Third-party auditNoneRarelySOC 2 Type II, HITRUST

The key insight: a regular online fax service is not the same as a secure fax service. A provider can offer online faxing without publishing its encryption standards, without signing a BAA, and without a third-party security audit. "Online fax" is a delivery mechanism; "secure fax" is a certified level of protection.

For a deeper look at how encryption standards work in practice, see our fax encryption guide.

Who Needs a Secure Fax Service?

Any organization that transmits sensitive or regulated information — and faces legal consequences if that information is exposed — needs a secure fax service.

Healthcare is the clearest case. An estimated 75% of U.S. medical communications still travel by fax: referrals, lab results, prescriptions, prior authorizations, and insurance claims. HIPAA mandates technical safeguards for all Protected Health Information. Violations tied to unsecured fax can cost $100 to $1.5 million per incident.

Legal firms handle attorney-client privileged documents, court filings, and case evidence. Chain of custody for legal documents requires tamper-evident delivery proof — exactly what a secure fax audit trail provides.

Financial services — banks, mortgage brokers, accountants, and insurers — transmit Social Security numbers, tax returns, and loan documents governed by the Gramm-Leach-Bliley Act (GLBA) and Sarbanes-Oxley (SOX).

Government agencies use FedRAMP-authorized cloud fax for citizen data and procurement documents.

Real estate professionals regularly fax contracts, title documents, and escrow instructions where legal enforceability requires a documented transmission record.

Don't Confuse 'Encrypted in Transit' With 'Secure'

Many fax services advertise TLS without specifying the version (TLS 1.0 and 1.1 are deprecated and vulnerable) or mentioning storage encryption. A service that encrypts transmission but stores documents unencrypted on its servers is not a secure fax service. Demand specifics: TLS 1.2+ in transit and AES-256 at rest.

How to Identify a Truly Secure Fax Provider

Use this checklist before committing to any fax service for sensitive documents:

Secure Fax Provider Checklist

AES-256 encryption at rest — explicitly stated (not implied)
TLS 1.2 or higher in transit — look for TLS 1.3 as the current best practice
SOC 2 Type II certification — independent third-party security audit
HIPAA compliance + Business Associate Agreement (BAA) offered
Multi-factor authentication (MFA) supported
Role-based access controls for team accounts
Full audit logs — immutable, timestamped, and exportable
Clear data retention and deletion policy
Delivery confirmation with cryptographic receipt
Published security documentation or whitepaper

Red flags to avoid: A provider that uses vague language ("we take security seriously") without naming specific encryption standards. No BAA offered. No compliance certifications listed anywhere on the website. No mention of third-party audits.

How to Send a Secure Fax with mFax Business

mFax Business meets all of the criteria above: TLS 1.3 in transit, AES-256 at rest, HIPAA-ready infrastructure, BAA available, and a full audit trail on every transmission.

The process takes under two minutes:

  1. Log in to your mFax Business account at app.mfax.to
  2. Upload your document — PDF, Word, image, or scan
  3. Enter the recipient's fax number — US, Canadian, or international
  4. Send — the service encrypts the document automatically and delivers it with TLS 1.3
  5. Confirm delivery — your audit log records the exact timestamp, page count, and delivery status

No hardware. No phone lines. No paper sitting in a tray. Just an encrypted, confirmed, logged transmission.

For sending PHI, our guide on faxing PHI securely covers the additional safeguards HIPAA requires beyond the technology itself.


What to Do Next

If you're currently using a fax machine or a basic online fax service for regulated documents, the risk is real. A single misdirected fax containing PHI triggered a $125,000 HIPAA settlement in 2020.

mFax Business gives you virtual fax numbers, HIPAA-ready infrastructure, team accounts, and a BAA — starting at about $9/mo (billed annually). There are no rigid fixed tiers: you build your own plan with a live calculator, choosing the exact seats and pages you need and paying only for what you use. No hardware, no long-term contracts.

For a broader look at how online fax measures up to email and traditional fax on security, read our full guide: Is Online Fax Secure?

Frequently Asked Questions

What is a secure fax?
A secure fax is a digital document transmission that uses TLS 1.2/1.3 encryption in transit and AES-256 encryption at rest, combined with access controls and an audit trail. Unlike traditional fax or plain email, a secure fax ensures only authorized parties can access the document.
Is a traditional fax machine secure?
Traditional fax machines offer no encryption — they transmit data as unencrypted analog signals over the public telephone network. Physical documents also sit exposed in the output tray. They're less secure than a certified online fax service. See our full breakdown in [Is Fax Still Secure?](/blog/is-fax-still-secure/).
What makes a fax HIPAA compliant?
For HIPAA compliance, a fax service must use TLS 1.2+ encryption in transit, AES-256 encryption at rest, role-based access controls, a full audit trail, and sign a Business Associate Agreement (BAA) with your organization. See the complete checklist in our [HIPAA fax requirements guide](/blog/hipaa-fax-requirements/).
What is the difference between a regular online fax and a secure fax?
A regular online fax service may route documents over the internet but offers no guarantee of encryption standards, compliance certifications, or audit logging. A secure fax service explicitly enforces AES-256 at rest, TLS 1.2+ in transit, provides a BAA, and is audited (SOC 2 Type II or HITRUST) by a third party.
Can faxes be intercepted?
Traditional PSTN faxes can theoretically be intercepted via phone-line tapping — no encryption is used. Secure online faxes encrypted with TLS 1.3 are effectively impossible to intercept in transit. The greater risk for online fax is account compromise (weak passwords, no MFA), not wire-level interception.
Home Business Pricing Fax API Blog Document Converter Company
Terms of Service Privacy Policy