ThirtyFax
ThirtyFaxSend fax online in under 30 seconds

How to Fax Medical Records (HIPAA Best Practices)

Faxing medical records requires HIPAA safeguards: verify recipient numbers, use compliant cover sheets, and choose between traditional machines or online services with signed BAAs.

Bernard Bado·Published on May 21, 2026·Last updated on May 23, 2026·11 min read

Quick Verdict

Yes, you can fax medical records legally under HIPAA, but only when you follow proper security safeguards. You have two main options: traditional fax machines (which require manual compliance steps) or HIPAA-compliant online fax services (which build safeguards into the platform).

Understanding HIPAA compliance matters because a single misfaxed record can trigger breach reporting requirements, OCR investigations, and civil penalties up to $50,000 per violation.

How to Fax Medical Records

Faxing medical records is explicitly permitted under HIPAA for treatment purposes, provided you implement reasonable administrative, technical, and physical safeguards. The method you choose determines how those safeguards are applied.

Method 1: Using a Traditional Fax Machine

Traditional fax machines can be HIPAA-compliant when you follow strict manual protocols. This method works for offices with low fax volume and staff trained in proper procedures.

Step-by-step process:

  1. Verify the recipient fax number (2 minutes): Call the recipient’s office to confirm the fax number—especially if it’s not a number you use regularly. HHS specifically recommends this as a reasonable safeguard.
  2. Confirm recipient identity (1 minute): Get the name of the person who will retrieve the fax. Include this on your cover sheet and ask the recipient to confirm when they’ve received it.
  3. Attach a confidentiality notice cover sheet: Include sender contact information, intended recipient name, page count, and a confidentiality warning for misdirected faxes (see template below).
  4. Stand by the machine during transmission: Don’t walk away. Retrieve the confirmation page immediately and check for transmission errors.
  5. Confirm successful receipt: Call or email to verify the recipient retrieved the fax. Don’t assume delivery based on the confirmation page alone.
  6. Securely dispose of extras: Shred misprints, cover sheet drafts, and any documents left in the machine’s memory tray.
a step-by-step infographic showing how to fax medical records using a traditional fax machine in six left-to-right steps: verify recipient fax number (2 minutes), confirm recipient identity (1 minute), attach a confidentiality cover sheet, stay at the machine during transmission, confirm successful receipt, and securely shred extra copies or misprints
How to Fax Medical Records

HIPAA compliance checklist for traditional fax machines:

  • Physical security: Place the fax machine in a secure location away from public areas. Staff-only access required.
  • Transmission confirmation: Retain all transmission reports showing date, time, recipient number, and page count.
  • Cover sheet requirements: Every fax must include sender identity, intended recipient name, and confidentiality notice.
  • Document handling: Retrieved faxes must be collected immediately and filed securely. Never leave PHI sitting in an output tray.

Method 2: Using HIPAA-Compliant Online Fax Services

Online fax services shift compliance from manual protocols to platform-enforced safeguards. This is the preferred method for most healthcare practices because audit trails, encryption, and access controls are built in.

Step-by-step process:

  1. Select a HIPAA-compliant service with a BAA (15 minutes): Choose a vendor that will sign a Business Associate Agreement. Without a BAA, you cannot legally use the service for PHI. SRFax, Fax.Plus (paid tiers), and iFax all offer BAAs.
  2. Set up your account (10 minutes): Create a unique user login with a strong password. Enable two-factor authentication if available.
  3. Upload your document securely: Use the web portal or mobile app to upload your PDF or scanned file. Avoid emailing PHI to yourself as an intermediary step.
  4. Enter recipient information: Type the recipient fax number and verify it matches your records. Add the recipient’s name and organization.
  5. Attach a compliant cover sheet: Most platforms let you save a reusable template. Include the same elements as a traditional fax cover sheet.
  6. Send and verify delivery: Check the platform’s transmission log to confirm delivery status. Download the confirmation receipt for your records.
  7. Access audit logs for documentation: Pull monthly reports showing all sent faxes, including sender, recipient, date/time, and delivery status.
a workflow infographic showing how HIPAA-compliant online faxing works in seven left-to-right stages: choose a service with a signed BAA, create a secure account with strong password and optional two-factor authentication, upload a document securely, enter and verify recipient information, attach a compliant cover sheet, send and verify delivery in the transmission log, and access audit logs for documentation
How HIPAA-Compliant Online Faxing Works

Comparison of HIPAA-compliant online fax services:

ServiceEncryption StandardBAA AvailabilityStarting PriceAudit Trail Features
SRFaxTLS 1.2+, AES-256Included on all paid plans$12.60/mo (200 pages)User activity logs, transmission reports, per-user tracking
Fax.PlusTLS 1.2+, AES-256Available on Premium+ tiers$17.99/mo (500 pages)Detailed delivery logs, timestamp tracking
iFaxTLS 1.2+, AES-256Available on Basic+ tiers$12.49/mo (200 pages)Transmission receipts, activity history
eFax ProtectTLS 1.2+, encryptionIncluded on Protect tier$49.99/mo (100 sent + 200 received)Compliance reporting, user audit logs

Important: ThirtyFax does not offer HIPAA-compliant faxing or sign Business Associate Agreements. It’s designed for one-time, non-PHI faxing only. If you need to send medical records, use a service with HIPAA certification and a signed BAA.

HIPAA Requirements for Faxing Medical Records

HIPAA doesn’t prescribe a single “right way” to fax medical records. Instead, it requires covered entities to implement reasonable safeguards across three categories: technical, administrative, and physical.

Technical Safeguards

These are the security controls your system must enforce:

  • Access controls: Unique user IDs and passwords for anyone sending or receiving faxes. No shared logins.
  • Audit logs: Automatic recording of all fax activity—who sent what, when, and to whom.
  • Transmission security: Encryption in transit (online services should use TLS 1.2 or higher).
  • Authentication: Verify sender and recipient identity before transmission.
  • Automatic logoff: Online portals should timeout inactive sessions after 15-30 minutes.

Administrative Safeguards

These are the policies and training requirements:

  • Business Associate Agreements: You must have a signed BAA with any online fax vendor that handles PHI.
  • Staff training: Everyone who sends or receives faxes must complete annual HIPAA training covering proper fax procedures.
  • Risk assessments: Conduct periodic reviews of your fax workflows to identify and address vulnerabilities.
  • Incident response procedures: Have a documented process for handling misdirected faxes, wrong-number errors, and suspected breaches.
  • Verification protocols: Written procedures for confirming recipient identity and fax numbers.

Physical Safeguards

These control who can access fax equipment and documents:

  • Fax machine placement: Locate machines in secure areas—not lobbies or shared hallways.
  • Document retrieval protocols: Assign staff to check the fax machine regularly. PHI can’t sit in an output tray.
  • Secure disposal: Shred all paper documents containing PHI. Erase fax machine memory when decommissioning equipment.
  • Access controls: Limit who can physically reach the fax machine, printouts, and transmission logs.
an infographic explaining the three HIPAA safeguard categories for faxing medical records as a side-by-side comparison: Technical safeguards with access controls, audit logs, TLS 1.2 or higher transmission security, authentication, and automatic logoff after 15 to 30 minutes; Administrative safeguards with signed BAAs, annual staff training, risk assessments, incident response procedures, and verification protocols; Physical safeguards with secure fax machine placement, immediate document retrieval, secure shredding and device memory erasure, and restricted physical access
HIPAA Fax Safeguards Comparison

Required Elements for Medical Record Fax Transmissions

Every medical record fax must include a cover sheet with these elements:

  1. Confidentiality notice: “The documents accompanying this fax contain confidential health information protected by state and federal law. If you have received this fax in error, please contact the sender immediately and destroy all pages.”
  2. Sender contact information: Your name, organization, phone number, and fax number.
  3. Intended recipient details: Recipient’s full name, title, organization, and fax number.
  4. Verification statement: “This fax is intended only for [Recipient Name]. Please confirm receipt by calling [Your Phone Number].”
  5. Wrong-number protocol: “If you are not the intended recipient, you are prohibited from reading, copying, or distributing this information. Please notify the sender immediately.”
  6. Page count: “This fax contains [X] pages, including this cover sheet.”

Sample compliant cover sheet template:

[@portabletext/react] Unknown block type "code", specify a component for it in the `components.types` prop

Important: While HIPAA requires minimum necessary disclosures in most situations, the rule does not apply to treatment-to-treatment disclosures between providers. You can send a full medical record to another provider for treatment purposes without limiting pages—but it’s still good practice to send only what’s clinically relevant.

When NOT to Fax Medical Records

Faxing isn’t always the right choice. Use an alternative method when:

  • The patient has specifically requested another delivery method. HIPAA gives patients the right to direct where their records are sent. If they’ve asked for email, portal delivery, or mail, honor that request.
  • You cannot confirm recipient identity or fax number. If the number isn’t in your records or you can’t verify who will retrieve the fax, don’t send it. Wrong-number faxing is presumed to be a breach under HIPAA.
  • The receiving location is unsecured. Faxing to a shared machine in a lobby, break room, or hotel business center creates unacceptable disclosure risk.
  • The records contain substance use disorder treatment information. SUD records protected under 42 CFR Part 2 may require additional patient consent beyond standard HIPAA authorizations.
  • State law imposes stricter restrictions. Some states require written patient consent for any PHI disclosure, even treatment-to-treatment. Check your state’s privacy laws.
a decision-tree infographic showing when not to fax medical records
When Not To Fax Medical Records

Comparing Fax Methods: Traditional vs. Online

Here’s how the two approaches stack up across key compliance and operational criteria:

CriteriaTraditional Fax MachineOnline Fax Service
HIPAA compliance easeManual—requires consistent staff training and process adherenceAutomated—platform enforces technical safeguards
Cost$100-300 upfront + phone line ($20-50/month)$12-50/month depending on volume and features
Transmission trackingPaper confirmation pages that must be filed manuallyAutomatic digital logs with searchable history
Audit trailRelies on manual documentation and paper recordsBuilt-in audit logs showing all activity by user, date, time
Security featuresPhysical security only—no encryption, no access controlsEncryption in transit and at rest, unique user logins, automatic timeout
Setup complexity30-60 minutes (physical installation, phone line setup)5-15 minutes (account creation, payment)
ScalabilityOne machine = one line = bottleneck for multiple staffMultiple users can send simultaneously from different locations
BAA availabilityN/A (no third party involved)Required—available from HIPAA-compliant vendors only

Recommendation: For practices sending fewer than 10 faxes per month with one or two trained staff members, a traditional fax machine can work if you’re rigorous about protocols. For everyone else—especially multi-provider practices, remote staff, or high-volume senders—online fax services are simpler, more secure, and easier to audit.

Documenting Fax Transmissions for Compliance

HIPAA’s audit control requirement means you must keep records of every fax transmission. At a minimum, document:

  • Transmission confirmation receipts: Date, time, recipient fax number, and delivery status (success or error).
  • Recipient verification logs: Record of how you confirmed the fax number and recipient identity before sending.
  • Sender identity: Which staff member initiated the transmission.
  • Disclosure tracking: For patient record requests, document the date you received the request, the date you sent the records, and the method used.
  • Error logs: Any failed transmissions, wrong-number incidents, or misdirected faxes.

Retention timeline: Keep fax transmission logs for at least 6 years from the date of creation or last use—the same retention period as other HIPAA documentation. Store logs securely with the same protections you apply to PHI.

Common HIPAA Faxing Violations to Avoid

These are the most frequently cited compliance mistakes in OCR enforcement actions and breach reports:

  1. Faxing to unverified numbers. Always confirm the recipient fax number, especially if you haven’t used it recently. Wrong-number faxing is presumed to be a breach unless you can prove low probability of harm.
  2. Failing to obtain BAAs with online fax vendors. If your fax service handles PHI, you must have a signed Business Associate Agreement. OCR has resolved multiple cases where covered entities used cloud services without BAAs.
  3. Leaving received faxes unattended. PHI sitting in an output tray is an unsecured disclosure waiting to happen. Assign staff to check the machine regularly.
  4. Missing required cover sheet elements. No confidentiality notice, no sender contact info, no intended recipient name—any of these can make a fax non-compliant.
  5. Inadequate transmission logging. If you can’t produce records showing when, where, and to whom you sent a fax, you’ll struggle to demonstrate compliance during an audit.
  6. No staff training. Every person who touches faxed PHI needs annual HIPAA training. “I didn’t know” is not a defense.
  7. Using non-compliant fax services. Free services, consumer-grade apps, and one-time fax tools (including ThirtyFax) are not HIPAA-compliant and cannot be used for medical records.

Potential penalties: HIPAA violations range from $100 to $50,000 per violation, with annual maximums up to $1.5 million per violation category. Recent examples include a $200,000 penalty against Oregon Health & Science University for failing to provide timely access to records—a violation directly tied to improper documentation and transmission practices.

Create an infographic visualizing common HIPAA faxing violations and penalty exposure
HIPAA Faxing Violations And Penalties

Bottom line: Faxing medical records is legal and common—but only when you follow HIPAA’s safeguard requirements. For most practices, HIPAA-compliant online fax services offer better security, easier compliance, and cleaner audit trails than traditional fax machines.

FAQ

Can You Fax Medical Records?

Yes. HIPAA explicitly permits covered entities to fax protected health information for treatment purposes, provided they use reasonable safeguards such as confirming the recipient’s fax number and securing the fax machine location. Faxing remains widely used in healthcare for sending medical records, clinical notes, and lab results—even as the industry moves toward electronic exchange.

Bernard Bado

Written by

Bernard Bado

I created ThirtyFax after needing to send a single fax and refusing to pay for a monthly subscription to do it. I write here about faxing, document workflows, and the surprisingly stubborn role fax still plays in modern business.

View author profile