Do This Now to Ensure Your Fax Is Fully HIPAA Compliant

Published by Smart Office


Healthcare organizations rely heavily on fax to send and receive patient health information. Knowing that your fax is secure and reliable is essential so you can protect patients’ privacy and comply with HIPAA. The best option is to go digital and use T.38 Fax over IP (FoIP) with advanced encryption.


T.38 is a standard that defines how a real-time fax call is carried over the Internet without having to convert it into a voice call (VoIP). With legacy Public Switched Telephone Network (PSTN) faxing being phased out, more healthcare teams are switching to T.38 FoIP, and for good reasons.

Encrypted T.38 is hands-down the best-suited FoIP solution to transport sensitive information. There are three notable aspects of this type of fax service that make it superior and earn it a HIPAA stamp of approval – real-time data transfer, data encryption, and page-by-page confirmation.

Maintaining HIPAA compliance is easier when you use “real-time” vs. “store-and-forward” faxing. The difference between real-time and store-and-forward faxing is just as it sounds, the first one sends faxes immediately (in real time) while the latter stores data in an intermediary station before forwarding it to the recipient.

Data traveling uninterrupted from fax sender to fax recipient is less susceptible to hacking because it moves directly between the two parties’ fax machines. However, with a cloud-based store-and-forward fax, data is held in a waiting area, meaning there is a greater risk of something going wrong before it reaches its destination.

HIPAA recognizes the security difference between real-time and store-and-forward faxing and requires that healthcare providers and their fax service providers assume liability if they use store-and-forward fax systems. Both parties must sign a legal agreement called a Business Associate Agreement (BAA) since there is a higher risk of privacy and compliance breaches when using store-and-forward faxing. This makes it more complicated to get your FoIP solution up and running, and can cause substantial delays to your FoIP transition project.

To avoid the legal paperwork, liability, and associated penalties should something go wrong, healthcare teams can simply choose to use real-time faxing. Real-time fax transfer meets HIPAA guidelines for data transmission under the “conduit exception,” which eliminates the need to sign a BAA with the service provider.

Encryption – which builds another layer of security into faxing – is complementary to the goal of HIPAA. Because HIPAA requires that doctors have safeguards in place to protect sensitive information such as medical records and personal health information, T.38 faxing deployed with advanced encryption is a perfect fit for healthcare teams.

It’s important to note that not all encryption is equal. Many fax providers encrypt just the signaling, or encrypt the media and signaling through methods that add significant cost and/or compromise delivery success rates. T.38 ensures the highest levels of delivery success. Choosing a T.38 fax provider that encrypts both the signaling and media, cost-effectively, offers the high level of reliability and security healthcare teams need.

One reason fax is used to send patients’ personal health information is because of its interoperability. Faxes can be sent quickly, securely, and reliably, and there’s no need for senders to verify in advance whether recipients have compatible technology to receive and view the patient information being sent. Documents will be received by anyone with fax capabilities.

Of course, verifying receipt is critical, and part of maintaining HIPAA compliance. Some fax solutions emulate real-time fax without using T.38; however, these solutions are susceptible to “false positives,” where all pages get sent with receipt confirmed, yet some may in fact have failed to be delivered. Not only does T.38 offer more reliable transfer, it also produces page-by-page confirmation as the fax is transmitted. This helps give healthcare teams the verification they need when sending sensitive data, and it enables compliance with HIPAA.

Healthcare provider organizations are quickly learning that maintaining HIPAA compliance for faxing doesn’t need to be a challenge to their digital transformation initiatives. If you are interested in learning more about T.38 FoIP for your organization, this eBook shares important things to know before making the move to digital.

Follow the practices above to improve client engagement and watch satisfaction rates soar! And check out our other articles for more advice on specific industries and use cases.