Key takeaways:
A signed BAA is the starting point, not the finish line for HIPAA-compliant healthcare faxing. This guide covers the criteria that matter and the questions to ask, so you can choose a cloud fax vendor with confidence.
Most cloud fax vendors are willing to sign a Business Associate Agreement (BAA). The terms vary considerably and are worth reviewing with your legal or compliance team before signing.
PHI in a cloud fax transaction may extend beyond the documents themselves. It can include transmission metadata (sender number, recipient number, timestamps), delivery status records, and stored fax images. A BAA that’s explicit about scope leaves less room for ambiguity during an audit or incident.
A few other things also deserve attention: whether/how the vendor is permitted to use PHI, what the breach notification timeline looks like, and whether subcontractor coverage flows down to the infrastructure providers the vendor relies on (such as AWS, Azure, or GCP). The answers are ultimately up to your legal and compliance teams and may be negotiable, but a vendor unwilling to discuss terms at all would be a red flag.
HIPAA isn’t a technical standard, so it doesn’t specify how information should be encrypted. That said, most vendors will make it clear that they support industry standards.
Network communication is typically subject to TLS encryption. This applies to fax document transmission, administrative interfaces, API connections, and EHR integrations. TLS 1.2 is a common baseline and minimum expectation; TLS 1.3 is generally preferable, although feasibility depends on the specific devices and endpoints involved.
If the cloud service will transmit over telephone networks, it will likely use T.38 secured by SIP-TLS and SRTP. However, not all transmissions will necessarily pass through a phone line in the first place. Look for a vendor who can clearly explain all possible routes and the encryption protocols for each.
AES-256 is the standard in cloud storage encryption. The more interesting question is exactly where it’s used.
Depending on the service architecture, fax data may both pass through cloud storage during transmission and reside in cloud storage for user access and archival. A potential vendor should be able to specify where encryption is applied. For example, fax image files, transmission logs, and audit records should all be covered, not just the primary database.
Speaking of cloud storage security, it’s also worth inquiring about key management. Vendors typically handle this process, but customer-managed key options may be possible your policies require it.
Healthcare organizations typically need to build an audit trail for PHI: who sent a fax, who received it, who viewed it afterward, and when. A cloud fax platform’s logging capabilities either support that or complicate it.
A useful audit trail captures transmission records (sender identity, recipient number, timestamp, delivery status, page count), access logs (who viewed or downloaded a received fax and when), and administrative logs covering user provisioning changes, permission modifications, and configuration changes. Critically, these should be immutable, or at minimum tamper-evident. Six years is a common retention baseline to align with HIPAA’s documentation retention requirements, though state laws or internal policies may require longer.
Logs should also be exportable in a format your team can work with. That may including forwarding to a SIEM or other security/monitoring software that your organization uses.
Controlling who can send, receive, view, and forward faxes matters as much for compliance as for day-to-day workflow management. A general baseline should include named user accounts only (since shared credentials undermine audit trails), role-based access control, SSO integration with your identity provider, MFA for administrators at minimum, and automatic session timeout for shared workstations.
Speaking of roles, map out what least-privilege access would look like. For instance, can access can be scoped to specific inbound queues or outbound groups rather than granting broad platform access by default?
Inbound faxes that aren’t routed into the EHR create a workflow gap (and bottleneck) as PHI sits outside the medical record until it’s manually handled. That introduces errors and can complicate the chain of custody for clinical documents. How well a vendor integrates with your EHR is often the most operationally significant factor in the evaluation.
Not all cloud fax vendors have tested, production integrations with major EHR platforms like Epic, Oracle Health (Cerner), MEDITECH, or Veradigm (Allscripts), just to name a few of the most common.
Keep in mind that the existence of a certified connector is a separate question from its depth. Inbound routing and outbound workflows may look remarkably different between two platform-certified vendors.
Good integrations are measured by reducing manual effort and compliance risk at the same time. Look for the ability to route faxes automatically to the correct queue, department, or patient record. It should also be possible to initiate outbound faxes from within the EHR workflow without requiring staff to switch applications. Delivery confirmations or failure alerts should return to the EHR or the sending user, and failed faxes should re-queue with alerting so documents don’t quietly disappear.
These are common and fairly high-level examples. Your organization might prioritize them differently, or have will naturally have deeper and more specific criteria
HIPAA requires the retention of six years of compliance-related documentation. Retention of individual fax records is less clear and often governed by state law, with different retention periods depending on what the record contains and whom it concerns.
The upshot is that your fax vendor must support whatever schedule your compliance and legal teams have established, not just a vendor default.
Practically, look for configurable retention policies at a meaningful level of granularity (by document type, department, or date range), automated deletion at end of retention period, and legal hold capability for records that need to be preserved outside normal schedules.
Storage location is also worth confirming. Specific cloud storage regions might be required (or prohibited) for organizations with multi-state operations or specific data residency requirements. And as records age, confirm whether they remain searchable or move to cold storage (requiring a separate retrieval process).
One digit can make a world of difference. A 99.9% SLA permits roughly 8.8 hours of downtime per year; 99.99% permits about 53 minutes.
What the SLA actually covers matters as much as the number. It’s worth scrutinizing the contractual definition of downtime: does it exclude scheduled maintenance windows? Partial outages affecting subsets of users? Degraded performance that doesn’t meet the technical definition of an outage?
Multi-region active-active failover provides stronger continuity than single-region or active-passive configurations. RTO and RPO commitments should be stated in the contract rather than discussed verbally in sales conversations. A vendor’s historical uptime record — via a public status page or shared history — is more informative than the SLA promise alone.
A poorly managed implementation creates a risk window: your old environment is winding down, the new one isn’t fully operational, and fax workflows are in an uncertain state.
Number porting deserves particular attention. Porting errors on clinical fax numbers can disrupt workflows with no immediate indication that anything is wrong; things simply stop arriving. Confirm who owns the porting process and what the escalation path looks like if something goes wrong.
EHR integration setup is where implementation timelines most often slip. Clarify upfront who configures and tests the connectors—a vendor, partner, and/or internal team—and what the testing process looks like before go-live.
For reference, Private Fax Cloud® typically goes live in about a week, and our team handles ongoing support and updates.
BAA
Encryption
Audit trails
Access controls
EHR integration
Retention and storage
Reliability
Implementation
No cloud fax vendor eliminates compliance risk, but the right ones actively reduce and share it. The covered entity remains responsible for verifying controls, maintaining BAAs, training staff, and monitoring the environment over time. A thorough evaluation gets you to a vendor relationship where the compliance boundaries are clear and the controls are verifiable.
Contact us to schedule a consultation for your specific environment, or to take a closer look at our fully managed Private Fax Cloud.