HIPAA-Compliant Fax Checklist: 30 Requirements Every Healthcare Team Needs to Meet

Fax remains the dominant method for exchanging clinical documents in healthcare. Referrals, lab results, prior authorizations, discharge summaries, and consent forms still travel by fax in the majority of healthcare organizations — and HIPAA still governs every one of those transmissions.

The problem isn’t that fax is inherently non-compliant. HIPAA’s Privacy Rule explicitly permits faxing protected health information (PHI) when appropriate safeguards are in place. The problem is that most healthcare teams inherited their fax workflows years ago, never formally audited them against current HIPAA requirements, and have been running on assumptions ever since.

This checklist covers 30 key areas your fax workflow should address to support HIPAA compliance. Use it before your next audit, before you onboard a new fax vendor, or any time your fax infrastructure changes. Each item is actionable — any gap you identify is worth reviewing with your compliance officer or legal counsel.

Who This Checklist Is For

This checklist applies to any covered entity or business associate that sends, receives, stores, or processes faxes containing protected health information, including:

• Hospitals and health systems
• Physician practices and specialty clinics
• Post-acute and long-term care facilities
• Behavioral health and substance use treatment providers
• Imaging centers and diagnostic labs
• Revenue cycle management companies
• Health IT vendors and EHR platforms that process fax on behalf of covered entities

If PHI moves through your fax workflow, this checklist applies to you.

A Note on HIPAA and Fax

HIPAA does not prohibit fax. Under the Privacy Rule (45 CFR § 164.530), covered entities are permitted to use and disclose PHI via fax for treatment, payment, and healthcare operations purposes, provided reasonable safeguards are applied.

Under the Security Rule (45 CFR § 164.300–164.318), any electronic PHI (ePHI) — which includes digital fax transmissions — must be protected by technical safeguards including access controls, audit controls, integrity controls, and transmission security.

The compliance burden is on the organization to implement and document those safeguards — not to assume they are in place.

The HIPAA-Compliant Fax Checklist

Vendor and Contractual Requirements

•  1. A signed Business Associate Agreement (BAA) is in place with your fax vendor. Any vendor, platform, or service provider that creates, receives, maintains, or transmits ePHI on your behalf is a Business Associate under HIPAA (45 CFR § 160.103). A BAA is a legal requirement — not a best practice, not optional. If your fax vendor refuses to sign one, they are not a viable option for healthcare fax. This applies to cloud fax platforms, digital fax services, and any managed fax solution.
•  2. The BAA covers transmission, storage, and any downstream document processing. Some Business Associate Agreements are narrowly scoped. Review the agreement carefully to confirm it covers every way ePHI moves through the vendor’s system — not just the act of initiating a fax transmission, but storage of received faxes, any document processing that occurs, and data retention and deletion obligations.
•  3. Your vendor’s HIPAA compliance posture is documented and current. Request written documentation of the vendor’s HIPAA compliance program. Reputable vendors have this available. It should include their encryption standards, access control policies, audit log capabilities, breach response procedures, and subcontractor management practices. If a vendor cannot produce documentation, that is a disqualifying red flag.
• 4. Your vendor holds SOC 2 Type II certification. SOC 2 Type II certification confirms that an independent auditor has reviewed and validated the vendor’s security controls over a defined period — not just at a single point in time. It is not equivalent to HIPAA compliance certification, but it is a strong indicator that the vendor’s security practices are consistent and independently verified. Request the most recent report.
•  5. Subcontractors used by your fax vendor are also covered by BAAs. Under HIPAA’s Omnibus Rule, Business Associates are required to obtain BAAs from their own subcontractors who handle ePHI. Ask your fax vendor whether they use subcontractors for any part of their service — hosting, OCR processing, document storage — and confirm that appropriate agreements are in place throughout the chain.

Encryption and Data Security 

•  6. All fax transmissions are encrypted in transit. For cloud fax and digital fax platforms, ePHI transmitted over the internet must be encrypted. TLS 1.2 or higher is the current standard for data in transit. For traditional analog fax transmitted exclusively over the PSTN, HHS has indicated that the inherent characteristics of the telephone network may satisfy HIPAA’s addressable encryption standard — however, any digital or internet-based transport layer must be encrypted.
•  7. All stored fax data is encrypted at rest. Any ePHI stored digitally — in a cloud inbox, on a server, in an archive, or in a document management system — must be encrypted. AES-256 is the current industry standard and what HIPAA-compliant vendors should offer as a baseline.
• 8. Fax data is not stored in unencrypted local folders or shared network drives. One of the most common fax compliance failures is received faxes routing to a shared network folder with no encryption and no meaningful access controls. If faxes in your environment land in an unprotected file share accessible to anyone on the network, that is an active compliance exposure. Audit your current routing configuration as part of this review.
• 9. Fax-to-email routing is not used without encryption. Routing faxes to standard email inboxes — even internally — creates unencrypted ePHI exposure unless the email system is itself HIPAA compliant and encrypted end-to-end. Standard consumer and most generic corporate email does not meet this requirement without additional HIPAA-specific configuration. If your fax-to-email workflow has not been formally evaluated for compliance, treat it as a gap until it has been.
•  10. Multi-factor authentication (MFA) is enabled for all fax platform access. MFA is not explicitly required by HIPAA’s current text but is strongly recommended in HHS guidance and is widely considered a best practice for any system accessing ePHI. Most cloud fax platforms support MFA — if yours does and it is not enabled, enabling it is a straightforward risk reduction step. HHS has proposed updates to the HIPAA Security Rule that would strengthen requirements around authentication; organizations should monitor that rulemaking process at HHS.gov for final outcomes.
• 11. Encryption key management practices are documented. For organizations managing their own encryption — particularly those running on-premise fax servers — key management must be documented. This includes who holds encryption keys, how rotation is handled, and what happens to keys when staff leave or contracts end. Vendors managing encryption on your behalf should be able to describe their key management practices upon request.

Access Controls 

•  12. Every fax user has a unique login — no shared credentials. HIPAA’s Technical Safeguard standards (45 CFR § 164.312) require unique user identification. Shared fax logins make it impossible to attribute ePHI access to a specific individual, which is both a compliance violation and an audit failure. Every person who accesses a fax inbox, sends a fax, or reviews received documents must have a unique, individual credential.
•  13. Role-based access controls are configured and enforced. Not every fax system user needs visibility into all fax lines, all inboxes, or all archived transmissions. Access should be scoped to what each user’s role requires — a front desk coordinator does not need access to a physician’s private fax line, and a billing specialist does not need access to clinical referral documents unrelated to their work.
•  14. Automatic session timeout is configured. HIPAA requires automatic logoff for workstations and systems accessing ePHI (45 CFR § 164.312(a)(2)(iii)). Fax platforms are no exception. Unattended sessions left open on shared workstations — particularly in clinical areas — are a common exposure point. Configure session timeout to align with your policy, typically 15–30 minutes of inactivity.
• 15. Access is revoked promptly when staff leave or change roles. Offboarding and role-change procedures must include fax platform access. Former employees with active credentials represent a preventable breach risk. Define a maximum time window for access revocation — best practice is same-day for terminations — and audit active user lists on a regular basis.
•  16. Emergency access procedures are documented. HIPAA’s access control requirements include provisions for emergency access to ePHI when normal access procedures are unavailable (45 CFR § 164.312(a)(2)(ii)). Document how your team would access critical fax data if the primary platform is unavailable, who is authorized to initiate emergency access, and how that access is logged and reviewed afterward.
•  17. Access logs are reviewed periodically for anomalies. Provisioning access controls is the first step. Reviewing them is the ongoing obligation. Establish a review cadence for fax access logs — monthly for high-volume environments, quarterly at minimum — and document those reviews. Anomalies to look for include access outside business hours, access from unusual locations, and access to fax lines by users without a clear operational need.

Audit Logging and Monitoring 

• 18. Your fax system logs every transmission — sent and received. HIPAA’s audit control standard (45 CFR § 164.312(b)) requires mechanisms to record and examine activity in systems that contain or use ePHI. Fax logs should capture, at minimum: sender identity, recipient fax number, timestamp, page count, and delivery status for every transmission.
• 19. Logs are retained according to your HIPAA documentation retention policy. HIPAA requires that documentation related to security policies and procedures be retained for a minimum of six years from the date of creation or last effective date (45 CFR § 164.316(b)(2)). Note that some states have longer medical record and documentation retention requirements — confirm the applicable standard for your state and apply whichever is longer. Review your fax vendor’s log retention policy to confirm alignment.
• 20. You can produce specific transmission records on demand. If HHS OCR, legal counsel, or a covered entity requests documentation of a specific fax transmission — for a breach investigation, an audit, or a patient request — you need to be able to produce it quickly and completely. Test this capability before you are asked. The inability to produce records on demand is itself a compliance finding.
•  21. Logs are tamper-evident and cannot be altered by end users. Audit logs must be reliable to be useful. Your fax platform’s logs should be immutable — users should not be able to delete, modify, or selectively export them. Verify this capability with your vendor. Cloud fax platforms with proper audit infrastructure provide tamper-evident logging as a standard feature; on-premise environments may require additional configuration to achieve the same standard.

Section 5: Physical Safeguards 

•  22. Physical fax machines are located in access-controlled areas. HIPAA’s Physical Safeguard standards (45 CFR § 164.310) require controls over physical access to facilities and equipment that contain ePHI. Physical fax machines should not be located in public-facing areas, waiting rooms, or any space where unauthorized individuals could view or retrieve documents. If your facility operates physical machines, confirm their placement meets this standard.
• 23. Received faxes are not left unattended in output trays. Physical faxes sitting in an output tray represent uncontrolled PHI accessible to anyone who walks by. Assign designated staff responsibility for prompt fax retrieval, establish a maximum time window before retrieval is required, and document the process. This is one of the simplest policies to implement and among the most consistently overlooked.
•  24. Hardware containing fax data is securely wiped before disposal. Fax machines, servers, multifunction printers, and any storage devices that have processed fax data containing ePHI must be securely wiped or physically destroyed before disposal. Modern multifunction printers contain internal storage that retains images of processed documents — confirm that any device being retired or returned to a vendor has been fully sanitized.
•  25. Workstations used to access fax platforms are physically secured. Workstations that access fax inboxes or fax management platforms should have screen locks, physical security controls, and the same endpoint protections applied to any workstation that accesses ePHI. An unlocked workstation with an open fax inbox is an access control failure regardless of how well the fax platform itself is secured.

Section 6: Policies, Training, and Breach Response (5 items)

• 26. You have a documented fax policy covering PHI handling. HIPAA requires written policies and procedures (45 CFR § 164.316). Your fax policy should cover: who is authorized to send PHI via fax, what verification steps are required before transmitting to a new or unverified number, how to handle a misdirected fax, cover sheet requirements, and how received fax documents are retained or destroyed. The policy should be reviewed and updated at least annually.
• 27. All staff who send or receive PHI via fax have received documented training. HIPAA training is required (45 CFR § 164.530(b)) and must be documented. Staff who interact with fax — including clinical staff, front desk personnel, billing, and HIM teams — should receive specific training on fax compliance requirements. Training should be provided at onboarding and refreshed at least annually or whenever relevant policies change.
•  28. You have a documented misdirected fax response procedure. Sending PHI to the wrong fax number is a potential HIPAA breach. Your team needs a documented, practiced procedure for responding: attempting to contact the unintended recipient to request destruction of the document, conducting a four-factor breach risk assessment to determine whether formal notification is required, and documenting the incident in your breach log. Whether individual notification is required depends on the outcome of that risk assessment.
•  29. Breach notification procedures are documented, assigned, and practiced. Under HIPAA’s Breach Notification Rule (45 CFR § 164.400–414), covered entities must notify affected individuals without unreasonable delay and within 60 days of discovering a breach. HHS notification is also required, and media notification applies when a breach affects more than 500 residents of a state or jurisdiction. Assign clear ownership of the breach response process, document it, and conduct a tabletop exercise at least annually so your team knows the steps before they need them.
• 30. A risk assessment has been conducted that includes fax workflows. HIPAA’s Security Rule requires covered entities to conduct a thorough, accurate, and current risk assessment of all ePHI across the organization (45 CFR § 164.308(a)(1)). If your most recent risk assessment did not specifically examine your fax infrastructure — transmission security, storage, access controls, vendor relationships, and workflow gaps — it is incomplete. Address fax workflows explicitly in your next assessment cycle.

Fax Cover Sheets

HIPAA does not explicitly require fax cover sheets, but they are considered a reasonable safeguard under the Privacy Rule and are widely adopted as a best practice. Proper cover sheet use can also reduce the severity of inadvertent disclosure incidents.

• Include a confidentiality notice stating that the document contains protected health information, is intended solely for the named recipient, and that unauthorized disclosure is prohibited.
• Include contact instructions for unintended recipients — typically a request to contact the sender immediately and destroy all copies.
• Minimize PHI on the cover sheet itself. Avoid including patient names, dates of birth, diagnosis, or clinical details on the cover sheet when a reference or case number will serve the same purpose.
• Verify recipient fax numbers before transmitting, particularly when using speed-dial entries or address books that may not have been updated recently.

Common HIPAA Fax Violations — and How They Happen

Understanding where violations most commonly originate helps you prioritize which gaps to close first.

Misdirected faxes are among the most frequent causes of fax-related breaches. A transposed digit, an outdated speed-dial entry, or a moment of inattention sends PHI to an unintended recipient. The fix: verification steps before transmission, cover sheets with clear confidentiality language, and a practiced response procedure for when it happens.

Missing or unsigned BAAs represent a foundational compliance failure. Organizations that switch to a cloud or digital fax platform without confirming the vendor will sign a BAA may be operating outside HIPAA’s Business Associate requirements for every fax they send. Audit your vendor agreements as part of every contract review cycle.

Unencrypted digital fax platforms present a risk that many healthcare teams don’t discover until it’s too late. Moving from a physical fax machine to a cloud platform feels like an upgrade — but if the vendor isn’t encrypting ePHI in transit and at rest and hasn’t signed a BAA, the compliance exposure is worse, not better.

Shared fax credentials make it impossible to attribute ePHI access to a specific individual. This is both a violation of HIPAA’s unique user identification requirement and a practical problem during breach investigations when you need to establish who accessed what and when.

Unmonitored physical fax machines in common areas create ongoing access control failures. Documents sitting in an output tray represent uncontrolled PHI. This is among the most easily addressed compliance gaps and among the most consistently overlooked.

Inadequate or inaccessible audit logs mean that when an incident occurs, you have no reliable record of what happened. HIPAA’s audit control standard exists precisely for this scenario. If your fax environment does not generate complete, tamper-evident, on-demand retrievable logs, it does not meet the requirement.

Cloud Fax vs. On-Premise Fax Server: Which Is Easier to Keep Compliant?

If you are weighing infrastructure options alongside compliance, a cloud fax platform — from the right vendor — is substantially easier to keep HIPAA compliant over time.

With an on-premise fax server, your organization owns the compliance burden entirely. Encryption, access controls, audit logging, patching, and physical safeguards all fall to your internal IT team. Achieving compliance is possible; maintaining it consistently requires ongoing attention that typically competes with higher-priority IT initiatives.

With a HIPAA-compliant cloud fax platform, the vendor manages the technical infrastructure — encryption, audit logging, uptime, and security patching. Your organization remains responsible for internal policies, staff training, user access management, and breach response — but the technical foundation is maintained and independently audited by the vendor.

For a full comparison of the two approaches across cost, security, EHR integration, and scalability, see our Cloud Fax vs. Fax Server for Healthcare guide.

What to Ask Your Fax Vendor Before Signing

Use these questions to evaluate any fax vendor that will handle ePHI on your behalf:

1. Will you sign a Business Associate Agreement? Can you provide a standard BAA for review?
2. How is ePHI encrypted in transit and at rest? What standards and key lengths do you use?
3. What audit logs do you maintain, and for how long? Can we access them on demand?
4. Do you hold SOC 2 Type II certification? Can we see the most recent report?
5. What is your published uptime SLA and what is the remediation process if you miss it?
6. Do you support role-based access controls and multi-factor authentication?

Frequently Asked Questions