Open the homepage of any cloud fax vendor and you will find the phrase "HIPAA compliant" or "HIPAA ready" somewhere above the fold. What you will not always find is a Business Associate Agreement, an SOC 2 attestation, or any concrete description of how protected health information is encrypted at rest. The phrase has become marketing decoration. The compliance regime behind it has not.
If you handle PHI — which any therapist, dentist, billing service, or specialty clinic does — knowing the difference between marketing language and actual HIPAA conformance is the difference between a routine audit and a six-figure settlement.
What HIPAA actually requires from a fax vendor
HIPAA does not regulate fax as a technology. It regulates how covered entities and their business associates handle PHI, regardless of the medium. When a vendor transmits, stores, or processes PHI on behalf of a covered entity, four obligations attach.
First, a signed Business Associate Agreement. This is not optional and it is not satisfied by a checkbox in a Terms of Service. The BAA is a separately executed contract that binds the vendor to HIPAA's Privacy and Security Rules and makes them directly liable to HHS for breaches. If a vendor will not sign a BAA, they are not a HIPAA-compliant vendor. Full stop.
Second, technical safeguards. The Security Rule requires encryption of ePHI in transit and at rest, access controls, automatic logoff, and unique user identification. For a fax vendor, that means TLS-encrypted transport between client and server, AES-256 at rest, and per-user accounts with auditable access.
Third, an audit trail. Section 164.312(b) requires "hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use ePHI." For fax, that means a permanent log of who sent what, to whom, when, from what IP, and with what outcome — retained for a minimum of six years.
Fourth, breach notification. Under the HITECH Act amendments, business associates must notify the covered entity within 60 days of discovering a breach. The vendor's contract should spell out exactly what triggers notification and what the procedure is.
The "HIPAA-ready" sleight of hand
"HIPAA ready" is a term of art that means nothing. It is not a status conferred by HHS. There is no HIPAA certification body. The phrase usually means one of two things.
It can mean "we have the technical capability to handle PHI, but we will not sign a BAA, so any actual handling of PHI on our platform is your problem." That is the most common case among low-cost consumer-grade fax services. They have the encryption. They will not take the legal liability.
Or it can mean "we will sign a BAA, but only on our enterprise tier, which costs three times the advertised price." That is the eFax model, where the consumer-tier subscription that shows up on the pricing page is explicitly excluded from BAA coverage and you have to call sales for the HIPAA-eligible tier.
Either way, the headline price you saw is not the price of compliant service.
Encryption and retention standards in 2026
The Office for Civil Rights has consistently treated NIST SP 800-66 as the de facto guidance for the Security Rule. In practice, that means:
- TLS 1.2 or higher for all transport, with TLS 1.3 strongly preferred
- AES-256 for at-rest encryption
- Key management that meets NIST SP 800-57, including periodic key rotation
- Audit logs retained for at least six years
- Access controls reviewed at least annually
A vendor that cannot describe their cryptography in these specific terms is not a vendor you should trust with PHI.
Vendor evaluation questions
Before you sign up for any cloud fax service that will touch protected health information, ask in writing:
- Will you sign a Business Associate Agreement covering my account at my advertised tier?
- Where is PHI stored and what encryption standard is used at rest?
- What protocol is used in transit, and is the entire chain — client to server, server to PSTN gateway — encrypted?
- How long are fax content and metadata retained, and can I configure the retention period?
- What is your audit log format, and can I export it?
- What is your breach notification procedure and timeline?
- Have you completed a SOC 2 Type II audit, and will you share the report under NDA?
- In the past 24 months, have you had any reportable breaches involving PHI?
A vendor that answers all eight clearly and in writing is one you can do business with. A vendor that hedges, redirects to a sales call, or insists their standard product is "HIPAA-ready enough" without specifics is not.
The bottom line
HIPAA compliance for a fax vendor is not complicated, but it is exact. There is a signed BAA, or there isn't. There is auditable encryption, or there isn't. There is a six-year retention log, or there isn't. The vendors who do the work will tell you so plainly. The vendors who don't will use the word "compliant" as a synonym for "we hope so."