Fx
FaxRx
FeaturesHow it worksPricing

Compliance

HIPAA Compliance

Last updated July 9, 2026

FaxRx is designed to protect Protected Health Information at every layer - in transit, at rest, and in who can reach it - and we sign a Business Associate Agreement with every customer.

In plain terms: PHI is encrypted, isolated per organization, and logged; every customer gets a signed BAA on every plan at no extra cost; and if a breach of unsecured PHI ever occurs, we notify you without unreasonable delay and no later than 60 days.

Contents

  1. 1. HIPAA and FaxRx
  2. 2. Business Associate Agreement
  3. 3. Encryption
  4. 4. Access controls and tenant isolation
  5. 5. Audit logging
  6. 6. Subprocessors
  7. 7. Workforce and access practices
  8. 8. Data retention and disposal
  9. 9. Breach notification
  10. 10. Your responsibilities
  11. 11. Contact us

1. HIPAA and FaxRx

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting Protected Health Information (PHI). Pharmacies, prescriber clinics, and healthcare practices routinely transmit prescriptions, referrals, and clinical records by fax, so any fax service that handles those documents must be built to safeguard PHI.

When you use FaxRx to send or receive PHI, FaxRx acts as your Business Associate under HIPAA. We designed the Service around HIPAA requirements: PHI is encrypted in transit and at rest, access is isolated per organization, key activity is logged, and every customer receives a signed Business Associate Agreement. This page summarizes the safeguards we maintain and the responsibilities we share with you.

2. Business Associate Agreement

HIPAA requires a covered entity to have a Business Associate Agreement (BAA) with any vendor that handles PHI on its behalf. FaxRx executes a BAA with every customer as part of onboarding - at no additional cost and on every plan. There is no need to request a separate agreement or upgrade to obtain one.

The BAA defines how FaxRx may use and disclose PHI, requires us to safeguard it in line with the HIPAA Security Rule, obligates us to report breaches, and requires our subprocessors that handle PHI to be bound by equivalent obligations. Under the BAA, we also make PHI available to help you meet your obligations to fulfill patient requests for access, amendment, and an accounting of disclosures.

This page summarizes our practices for convenience. The executed Business Associate Agreement and Terms of Service are the binding agreements, and the BAA controls with respect to PHI in the event of any conflict.

3. Encryption

In transit. Connections between your browser, our servers, and our fax and storage providers are encrypted with TLS 1.2 or higher, protecting fax content, patient information, and credentials while they move across networks.

At rest. Fax documents, cover sheets, templates, and attachments are stored in encrypted cloud storage using AES-256 encryption with managed encryption keys, so stored PHI is protected against unauthorized access to the underlying storage.

Email delivery. If you enable email delivery, received faxes are sent as attachments to the addresses you designate. We use TLS-secured transport where the receiving mail server supports it, but because delivery to mailboxes we do not control uses opportunistic encryption, we cannot guarantee end-to-end encryption or the security of a mailbox once a message leaves our systems.

4. Access controls and tenant isolation

Access to the Service is protected by controls designed to keep each organization's PHI separate and reachable only by authorized users:

  • Authenticated sign-in with support for multi-factor authentication.
  • Per-organization data isolation - every request for tenant data is scoped to the signed-in user's organization, so a customer cannot access another organization's records.
  • Authenticated, proxied access to stored fax documents; files are not publicly reachable.
  • Role-based access within an organization, so administrators control who can act on the account.
  • Session handling and password requirements enforced at the authentication layer.

5. Audit logging

FaxRx maintains audit logs to support HIPAA accountability. Key events - including fax send activity, administrative actions, and configuration changes - are recorded with timestamps and the acting user. Audit records are written with tamper-evident integrity protection so that alteration can be detected, and they are retained to support compliance review. Authentication activity, such as sign-in events, is recorded by our identity provider rather than in this tamper-evident chain.

6. Subprocessors

FaxRx relies on a small set of infrastructure providers for functions such as fax transport, encrypted storage, authentication, and email notification. Any subprocessor that may create, receive, maintain, or transmit PHI is engaged under a Business Associate Agreement with obligations equivalent to those we owe you. A current list of subprocessors and their BAA status is available to customers on request. We do not publish vendor names on our public pages.

7. Workforce and access practices

Access to production systems that may contain PHI is limited to the personnel who need it to operate the Service, under least-privilege principles. Personnel with such access are informed of their privacy and security responsibilities and are required to protect PHI, to use secure and encrypted connections when working with customer data, and to report suspected security incidents promptly through established channels.

8. Data retention and disposal

We retain PHI only as long as needed to provide the Service:

  • Fax documents are retained while your account is active, and you may archive individual faxes at any time.
  • On termination, we return or destroy the PHI we hold as described in the Business Associate Agreement, except where retention is required by law or return or destruction is not feasible, in which case we continue to protect it under the BAA and limit further use.
  • Billing records are retained as required by tax law and do not contain PHI.

9. Breach notification

If FaxRx discovers a breach of unsecured PHI, we will notify affected customers without unreasonable delay and no later than 60 days after discovery, consistent with HIPAA and HITECH. Our notice will describe, to the extent known, the nature of the breach, the types of information involved, and the steps we are taking to investigate, mitigate harm, and prevent recurrence. We will cooperate with customers in meeting their own notification obligations, including notification to the U.S. Department of Health and Human Services where required.

10. Your responsibilities

HIPAA compliance is shared. As a covered entity or business associate, you remain responsible for using the Service appropriately - for example, sending faxes only to correct and authorized recipients, designating secure and authorized email addresses if you enable email delivery, managing who in your organization has access, obtaining any patient authorizations you need, and configuring your account in line with your own policies. FaxRx provides the safeguarded platform; you control how your workforce uses it.

11. Contact us

For questions about our HIPAA practices, the Business Associate Agreement, or to raise a compliance concern, contact us at hello@fax-rx.com.

Terms of ServicePrivacy PolicyHIPAA ComplianceSecurity
Back to home
Fx
FaxRxPharmacy Fax

Online fax built for pharmacies, prescriber clinics, and the practices that fax alongside them.

Product

FeaturesHow it worksPricing

Account

Sign inGet startedContact

Legal

PrivacyTermsHIPAASecurity
© 2026 FaxRx. All rights reserved.HIPAA-friendly, encrypted, and ready in minutes.