The Do’s and Don’ts of HIPAA-Compliant Faxing


It isn’t news to anyone working in healthcare that the industry at large still heavily relies on faxing to send and receive confidential documents, despite the availability of more modern technologies. There are many reasons why faxing is still prevalent in this space and this article will reveal the criticality of understanding the relationship between HIPAA regulations and faxing. But the primary reason why fax is still heavily leveraged is because faxing is a familiar technology that has been used in the industry for decades, so while seemingly antiquated, it very much falls into the category of “if it isn’t broken, why fix it?” Now, let’s get into the nitty gritty.

The Usage of eFaxing in Telemedicine

Internet faxing (“eFaxing”) has become a reliable and secure way for medical professionals to exchange documents with patients and providers alike. Healthcare providers began the transition from traditional fax to eFax over the past couple of decades to both improve communication and remain current with the latest technology. HIPAA compliant faxing, like that offered by Spruce, has been designed to make it simple to adhere to basic security protocols. It takes the guesswork out of the equation and gets around more traditional necessities like the cover letter. The Spruce fax cover sheet will automatically display a “from” section that will contain your Practice Name, the name of the user who sent the message, the user’s default phone number, and the fax number the fax was sent from.

Net net, efaxing is simply a convenient way to share and receive chart notes, lab reports, documents, and other information that contains private health information and has proven to be an excellent replacement to a traditional fax machine because, among other things, it can work across different EHR platforms, digitally sharing documents and information with ease.

Some General Rules for HIPAA-Compliant Faxing

Verify the Recipient’s Fax Number

Check the destination fax number before transmission to avoid an unnecessary leak of personable identifiable information (PII), which can often also be protected health information (PHI) under HIPAA.

Use Cover Sheets

Leverage a cover sheet that clearly identifies the sender and recipient and marks the document as confidential.

Ensure Recipient Availability

If you are unsure as to whether your recipient is going to receive the fax as a physical printout, you can call them ahead of the transmission to let them know the document is coming through and to watch for it.

Minimum Necessary Standard

Make sure you are following the “minimum necessary” guidelines for HIPAA compliance and general best practices; only send the minimum information that is needed to accomplish the task at hand. 


Make sure that the fax service you are using stores your fax contacts and transmission logs, as well as digital copies of all of your incoming and outgoing faxes. This will protect your fax documentation by the same technical, administrative, and physical safeguards that HIPAA demands. Such storage will make the fax provider your business associate under HIPAA, however, so you must have a business associate agreement (BAA) in place with them, and they must understand and live up to the requirements of HIPAA.

Using a HIPAA-compliant communication platform like Spruce ensures that the above considerations are accounted for. But, if you are not using a solution like Spruce, then you will have to ask yourself: 

  1. Is your online fax service in compliance with the HIPAA Security Rule?

  2. Are you keeping a record of the date and time of your fax transmission? How about the receiver’s complete name, fax number, and organization? Are you also documenting the sender’s complete name, fax number, and organization? Audit logs are key to HIPAA compliance.

  3. Have you created audit logs to keep track of all activity in your network? Audit controls and access logs are important for all covered entities and business associates, meaning that healthcare providers, medical organizations, and all their vendors must keep them.

  4. When electronically storing or transmitting sensitive information, are you choosing an encryption method that renders the information “secure” under the HIPAA Breach Notification Rule?

Note that Spruce makes it simple to directly fax contacts from within the platform and as noted above, the Spruce fax cover sheet will automatically include the necessary security details. There is also the benefit of media attachment options, which a traditional fax can obviously not support. Within Spruce, you can attach:

  • Text: Any text typed into the message-compose bar while creating a fax will be included in a fax cover sheet.
  • PDF: Any attached PDF file will be converted to black and white and included as typical fax pages after the cover sheet.
  • Images: Attached images will be converted to black and white and included in the fax. This can be used to send photos of single-page documents, such as a signature page, as part of your fax. When you include image files, the fax will also include a QR code to download the full-resolution, color image.
  • Video: You can include a video in your fax! The recipient will get a single fax page that contains a QR code to download and view the video.

What to Avoid During Faxing to Prevent HIPAA Violations

Avoid Using Non-Secure Fax Machines

If you are not using a secure eFax solution that supports the T.38 protocol (more on that below) and other essential controls, then you should assume you are using a non-secure fax solution. There are patient privacy concerns to consider if you are using a non-secure fax machine, many of which are areas of concern in the HIPAA regulations. For traditional fax, it’s essential to verify the recipient’s fax number and ensure recipient availability, as mentioned above. Even if your practice is not covered by HIPAA, developing and implementing fax safeguards can help protect sensitive information and may help prevent liability under state data security law—a whole other ball of wax. There’s also human error to consider. Leaving behind copies on the fax machine, inadvertently sending to the wrong person, etc. are all hazards to keeping up fax hygiene.

Avoid Unconfirmed Transmission and Faxing to Unverified Recipients

There are some easy ways to avoid unconfirmed fax transmission or inadvertently faxing to unverified recipients, sparing a whole host of complications: 

  1. Check the destination fax number before transmission.

  2. If your faxes are failing to send or taking too long to send, they may be sent in parts to increase the likelihood of success. (Note that this isn’t necessary to do if you’re using Spruce for eFax.)

  3. If you receive a fax error message, contact the person receiving the fax to see if they are receiving or canceling the transmission on their end.

  4. Check your fax machine’s features to see if it has any options to prevent sending faxes to unverified recipients. Or, leverage a secure contact book, like the one Spruce offers, to ensure you are only ever sending to the intended recipient.

Best Practices for Including Sensitive Information in Faxes 

There are several ways to mitigate the risk of exposing sensitive information when faxing. Using a confidential fax cover sheet that states that the fax information may be confidential is a start. You can also request that the recipient of a misdirected fax destroy the information and notify you immediately.

Another way to avoid mishandling sensitive information is to leverage a secure contact book in your eFax platform, like Spruce does. In this way you will not run the risk of accidentally entering an incorrect fax number or inadvertently faxing the wrong recipient. 

All users of Spruce agree to our standard Terms of Service, which includes a HIPAA Business Associate Agreement (BAA). Importantly, Spruce stores fax contacts and transmission logs, as well as digital copies of all incoming and outgoing faxes, identically to how all other medical data is stored. This means that your fax information is protected by the same technical, administrative, and physical safeguards that HIPAA demands and that we use regularly throughout our entire system. For more detail on using Spruce fax while maintaining regulatory compliance, please see our white paper on Using Spruce in a HIPAA-Compliant Way.

Importantly, when electronically storing or transmitting sensitive information (e.g., via eFax), be sure to choose an encryption method that renders the information unreadable except by the receiving party, as Spruce does automatically when the recipient connection permits it. When possible, avoid using fax altogether to transmit personal information.

Avoid Leaving the Fax Unattended

If you are using a traditional, physical fax machine that is sitting on a desk in your office, never leave your faxes unattended. Keep an eye on your documents—even if you need to do a quick task while sending a fax—because simply put, you cannot leave a patient record unattended. It can lead to a HIPAA violation. You also need to store these faxes in a secure location.

If you work in a busy office and the team is constantly multitasking, the easy answer is to switch to an online fax service so that it becomes impossible to leave a fax unattended. Short of that, you can check your fax machine’s features to see if it has any options to prevent leaving the fax unattended. Some are built by design to require the sender to manually monitor the progress.

The Main Advantages of Online Fax Services

Online fax services offer several advantages over traditional fax machines. 


Online faxing services enable users to send and receive documents instantly, without having to wait for mail or courier services. This saves time and makes it easier to stay on top of important communications.


Online faxing is much faster than traditional faxing, as it eliminates the downtime that you might spend waiting to send or receive a fax through a physical fax machine and landline. Plus, with online faxing, there are no busy signals. You can send and receive faxes simultaneously without burdening the system or having to wait for a dial tone. Online faxing can be done on any computer or mobile device that is connected to the internet, making it easy to send and receive faxes from anywhere, at any time.


Online faxing services are generally more cost-effective than traditional fax machines, as they eliminate the need for a dedicated phone line and the associated costs of paper, ink, and maintenance. Do you remember how much you used to pay to send a fax at Kinko’s? Gone are those days.


Online faxing services keep all your documents organized and always available—or at least they should, like Spruce does!—making it easier to manage and store important documents.

Multi-user functionality

Online faxing services offer new and improved features like multi-user functionality and document sharing, which lets several users receive the same fax simultaneously.


Online faxing services are generally more secure than traditional fax machines, as solutions like Spruce use encryption to protect sensitive information and prevent unauthorized access.

Environmentally friendly

Online faxing services are more environmentally friendly than traditional fax machines, as they eliminate the need for paper and ink.

Underlying technology

And finally, you should understand the underlying technology of your eFax provider. The basic fax protocol is T.30, but modern systems should use T.38, which enables faxes over the internet and allows for key technological benefits, such as encryption, which can be important for HIPAA. Learn more about the basics of this protocol. It’s critical to note that the suitability of T.38 or T.30 depends on the specific requirements of the fax transmission environment. In traditional telephony setups, T.30 may still be a reliable choice. However, in modern IP-based communication systems, T.38 is often preferred due to its compatibility, reliability, efficiency, and integration capabilities.

How to Send an Online Fax

Choose a Secure Online Fax Service

Sending an online fax isn’t rocket science but finding the right provider may be challenging. Searching the internet for “free online fax” or “secure online fax” will often turn up options that are non-secure or free on a trial basis, but never a long-term solution for a thriving medical practice. 

Sign up and Set up Account

From a prescriptive standpoint, the basic gist of getting set up online with a fax solution that adheres to today’s guidelines for the health vertical hinges entirely on choosing a secure online fax service like Spruce (and avoiding supposedly free solutions, as mentioned above).  

Prepare Documents You Want to Send

Compile the documents that you want to transmit and attach a cover note.

Create a New Fax

Creating a new fax just means that you are now positioned for transmission and all of the content—text, images, even video—are accounted for. 

Log into Your Account

Make sure you are logged in as yourself so that if any questions come up later about the sender/receiver/transmission there won’t be any mistaking the details.

Enter Recipient’s Fax Number

Enter the destination fax number and check it twice. If you are using a solution like Spruce, this number will be attached to the contact in your secure contact book, eliminating any concerns around inadvertently sending to the wrong recipient.

Upload Document(s)

Upload your documents and get them ready for transmission.

Provide Additional Message if Needed

If you need to provide context or mark the document confidential, do so before you transmit so that the recipient has all of the information they need up front.

Send Fax

Send your fax and you will receive confirmation that the transmission was successful.

Final Thoughts

HIPAA compliance is a crucial consideration when it comes to faxing in the healthcare industry. Despite the rise of digital communication methods, faxing remains a popular and widely used method of transmitting sensitive healthcare information, and electronic faxing is the strongest option for HIPAA-compliant faxing, as we’ve discussed in this article. 

If you still have questions about faxing or compliance, please check out our help center, our blog, or reach out to a member of our support team

Related Articles

Meet Lex Lancaster, PT, DPT, a physical therapist turned digital entrepreneur now helping other heal...
Join Spruce Health and Thomas (T.J.) Ferrante, a Partner in Foley & Lardner’s Telemedicine Ind...