HIPAA Compliance

Last updated: March 2026

1. What is HIPAA and Why It Matters

The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for protecting sensitive patient health information. Pharmacies routinely transmit prescriptions, patient records, and insurance details via fax - making HIPAA compliance essential for any fax service handling Protected Health Information (PHI).

FaxRx is built from the ground up with HIPAA requirements in mind. Every layer of our platform - from transmission to storage to access - is designed to safeguard PHI and help your pharmacy meet its regulatory obligations.

2. Encryption and Data Protection

In Transit: All data transmitted between your browser, our servers, and fax carriers is encrypted using TLS (Transport Layer Security). This ensures that fax content, patient information, and account credentials cannot be intercepted during transmission.

At Rest: Fax documents and associated metadata are stored using encrypted cloud storage. All files are encrypted at rest using AES-256 encryption, preventing unauthorized access to stored PHI even in the event of a physical security breach.

3. Access Controls

FaxRx uses Clerk for authentication and access management, providing robust controls to protect PHI:

  • Secure authentication with multi-factor authentication (MFA) support
  • Role-based access controls ensuring users only access their own organization's data
  • Multi-tenant data isolation - every database query is scoped by organization
  • Automatic session timeouts after periods of inactivity to prevent unauthorized access on unattended devices
  • Secure password requirements enforced at the authentication layer

4. Audit Logging

FaxRx maintains comprehensive audit logs to support HIPAA accountability requirements:

  • All fax send and receive events are logged with timestamps and user identifiers
  • Login activity and session history are tracked per user
  • Administrative actions and configuration changes are recorded
  • Audit logs are retained in accordance with HIPAA requirements and are available for compliance reviews

5. Business Associate Agreement (BAA)

HIPAA requires that covered entities (such as pharmacies) enter into a Business Associate Agreement with any service provider that handles PHI on their behalf. FaxRx is prepared to execute a BAA with qualifying customers.

BAA availability: Business Associate Agreements are available for customers on our Professional and Enterprise plans. To request a BAA, contact us at support@fax-rx.com.

6. Employee Training and Security Practices

All FaxRx team members with access to systems that may contain PHI are required to:

  • Complete HIPAA awareness and compliance training before accessing any production systems
  • Undergo annual refresher training on privacy and security best practices
  • Follow strict access-control policies - production data access is limited to essential personnel only
  • Use secure, encrypted devices and connections when performing any work involving customer data
  • Report any suspected security incidents immediately through established procedures

7. Data Retention and Disposal

FaxRx maintains clear data retention and disposal policies to minimize PHI exposure:

  • Fax documents are retained for the duration of your active subscription
  • Users may delete individual faxes at any time through the dashboard
  • Upon account termination, all fax documents and associated PHI are permanently deleted within 30 days
  • Billing records are retained for 7 years as required by tax law but do not contain PHI
  • Backup systems follow the same retention and deletion schedules as primary storage

All data disposal follows secure deletion practices to ensure PHI cannot be recovered after removal.

8. Breach Notification Procedures

In the unlikely event of a security breach involving PHI, FaxRx is committed to prompt and transparent notification:

  • Affected customers will be notified within 60 days of discovering a breach, consistent with HIPAA requirements
  • Notification will include the nature of the breach, the types of information involved, and steps being taken to mitigate harm
  • FaxRx will cooperate fully with any resulting investigations and remediation efforts
  • A thorough internal investigation will be conducted to identify the root cause and prevent recurrence
  • The U.S. Department of Health and Human Services (HHS) will be notified as required by law

9. Contact

For questions about our HIPAA compliance practices, to request a BAA, or to report a security concern, contact us at support@fax-rx.com.

FaxRx LLC
Email: support@fax-rx.com

Back to Home