ChartRequest Logo

+1 (888) 895-8366

Is Faxing Medical Records HIPAA Compliant?

fax machine

As fax machines grow increasingly outdated, it seems the healthcare industry is one of the few that still uses them. They’re one of the more basic ways to maintain HIPAA compliance because there’s less gray area, but there are tradeoffs. In this article, we’ll cover some of the pros and cons of using fax machines for exchanging protected health information.


Of all the antiquated methods of exchanging protected health information, the fax machine is the industry standard. However, your team must take special care to ensure HIPAA compliance. 

Adhering to HIPAA throughout the release of information requires an understanding of the Security Rule and the Privacy Rule. These rules set out the guidelines for what information you must protect and what safeguards you must put in place.

The Privacy Rule expanded patient rights to access their medical information while establishing baseline regulations to safeguard protected health information. Part of this burden is identifying what information your team must protect, which HHS labels individually identifiable health information.

According to HHS, this information includes any records of the patient’s care, including medical information and billing details. Additionally, any information that could identify the individual, including name, birth date, address, etc.

A risk of faxing medical records, like texting them, is that there’s no guarantee the individual on the other end will be authorized to view them. Fortunately, because people don’t carry fax machines around in thieir pockets like cell phones, the risk is lower.

To avoid unauthorized disclosure, it’s important to put a HIPAA-compliant faxing sheet in front. This page will be completely void of personal identifiable health information, so prying eyes can’t immediately see their information.

The Security Rule imposes technical, physical, and administrative regulations for the exchange of PHI. Because fax is old technology, the limitations actually reduce the risk of mass breaches.

Faxes can’t be encrypted. This means that anybody who intercepts the fax will be able to view the contents. This process, however, requires physical access to the phone line. It’s illegal for unauthorized individuals to mess around with telephone lines, and this is a more public crime than hacking.


When you say the word fax, the two thoughts that may come to mind are bulky fax machines and the terrible piercing sounds they make. Fax functions are built-in to most modern printers but used by few. Outside the healthcare industry, courts, and legal offices, fax machines are growing uncommon. 

This is not for issues of security, quite the opposite actually. Fax machines are dying out because they’re so inconvenient to use. If your team can hook the fax machine up to a computer and share files without printing and scanning, it’s slightly easier. We’ll dive into what makes fax machines inconvenient soon, but first, let’s finish covering their security.

Part of what makes fax machines seem so secure in modern healthcare is the minimal risk of mass breaches. Because fax machines generally send records one at a time directly to their recipient, intercepted faxes put only that person at risk.

This is opposed to email. With this method, hackers can remotely access any information and messages that the user hasn’t deleted. Both methods of exchange can go awry due to human error if, for example, the sender enters the wrong recipient information.

An unexpected risk, however, is the disposal of fax machines used by healthcare professionals. Deleted information doesn’t vanish from the hard drive. The machine simply labels the blocks of space as clear. Until someone saves new data, the original data will remain accessible with the proper knowledge.

Fax machines store all data they scan in order to share it. This means you must wipe the machine’s memory clear before disposal. If you would like to learn more about how fax machines work, click here. 


At first glance, electronic fax services may seem like a more modern option, but it doesn’t come without its problems. An electronic fax service essentially converts a digital image into the type of message fax machines understand. These messages travel via a phone line, like any other fax.

With proper encryption measures on the sending side, e-fax exchange can be just as secure as regular faxing. A weakness, however, is one that e-fax shares with email. If a hacker manages to break into an account that has sent or received medical records, the information is accessible. 

It’s important to research the options for the various e-fax services, as not all options are HIPAA compliant. Furthermore, HIPAA-compliant platforms may charge extra for the additional security. This is on top of preexisting costs for faxing, which generally increase as the volume of faxes increases. 

While HIPAA breaches caused by e-fax have less potential for major leaks than email, there’s a greater risk than traditional fax. The reason for this is that both of these digital options don’t automatically delete the data shared. Hackers who break into these types of accounts can view anything that hasn’t been manually deleted by the user. 

E-fax can be helpful for healthcare organizations that don’t wish to deal with the hassles of a traditional fax machine. If transmitting protected health information this way, remember that the receiver will receive their e-fax the same way they would get regular faxes.

Keep in mind not only the guidelines for traditional fax but also digital methods. For example, continue to use cover sheets and change your password frequently. Always double-check the fax number before sending it, and always adhere to the “minimum necessary” standard. 


There are certainly benefits to using fax to share urgent information. Compared to physical mail, fax is very quick. Compared to SMS and MMS texting, fax is secure. Unfortunately, it is still an antiquated and inefficient method for regularly releasing protected health information.

The release of information process is already extremely time-consuming and complicated for healthcare professionals. Depending on the method of release, there are several points of human input where your team can make mistakes. Fax especially has a lot of ways the exchange can go wrong.

First, fax isn’t always reliable. When your staff sends a fax image, the machine essentially separates the image into cells. It then converts the image into code line-by-line. The sound that plays if you’ve ever answered incoming fax is the language of the machine. This sound tells the receiving machine which cells are dark, which are light, and so on. 

The fax machine only sends this data once, however. This means that if there’s any sort of interruption or interference, the fax can fail. This delays requests, especially if the receiver has no idea the fax was attempted. 

Additionally, sharing a record via fax takes longer than the other methods. This is doubly true if the machine cannot easily fax digital files from the server. In this case, you must print the entire record, scan it with the fax machine, and send it that way. 

Medical records files can be huge, but fax is even more inconvenient for longer files. The more pages a requestor needs, the longer the document takes to scan. This increases the chance that there will be a feeder jam or similar error that requires rescanning. 

Finally, because your team created physical files to scan, they must be shredded as soon as possible. 


If you requested medical records to be released via fax for yourself, a family member, or a client, you can help make sure they’re released swiftly and securely. Don’t just submit the request and assume you will receive the records. 

We’ve found that the average medical records request involves 7 phone calls for status updates. These updates help healthcare providers meet the 30-day HIPAA deadline (or any shorter state deadlines). This is especially important with fax, as there’s the risk that the fax could fail. 

If you put in this extra effort, you shouldn’t have any trouble getting your records sent in a timely manner. Ideally, the healthcare provider will give you a rough time estimate on when you can expect to receive the records. If not, keep a close eye on your fax machine.

If you’re a patient requesting records to your home fax machine, you shouldn’t have to do much else beyond keeping your fax machine active. There should be no unauthorized individuals to threaten a breach in your home. 

If this is not the case and you feel your records wouldn’t be safe in the tray, keep a close eye on your machine. This goes doubly for professional requestors with increasing urgency for every individual with access to the fax machine. 

Once they arrive, create a digital copy and shred the paper documents or file them away in a locked drawer. If you notice an issue with your records, reach out to the healthcare professional as soon as possible.


If you absolutely must release medical records via fax, it’s important to take every precaution possible. Not only does this increase the chances that patient PHI remains secure, but also reduces your organization’s culpability in the event of a breach. This means lower monetary and civil penalties. 

Start with the basics of any request. Verify that the patient’s authorization form is signed and valid. A valid form should include:

  1. Description of the requested information
  2. Name of the patient and/or requestor
  3. Name of the recipient
  4. Reason for the disclosure
  5. Expiration date or event
  6. Signature of the patient or representative with the date

Once this is verified, retrieve the records in accordance with the “Minimum Necessary” rule. This, simply put, means you should only be releasing the minimum records necessary to fulfill a request. Comb through the records to make sure irrelevant information is not included.

Once you’ve collected the relevant records, double-check to make sure they are 100% accurate for the request. When you feel confident that you’ve fulfilled the request, be sure to double-check the recipient’s fax number.

Be sure to keep a copy of the request on file in the case of an audit. It’s also worth maintaining a log of when medical records are released. This can help both when requestors call for status updates and if the records fail to arrive. 


The release of medical records doesn’t need to be difficult, but antiquated methods like fax make it overly complicated. Between the additional administrative steps, aging technology, and the number of points of potential human error, there are better options for your requestors, your staff, and your organization.

ChartRequest was designed to facilitate the release of information as efficiently and securely as possible. Our software empowers your organization to handle more records in less time, reducing the administrative burden of medical records exchange.

One of the ways we reduce the workload for your team is by empowering your requestors to help themselves. We provide the simplest HIPAA-compliant medical records request process available, and our dedicated support team is ready to help ensure your requestors are successful.

Additionally, we allow requestors to check the status of their requests in real time. This can be done in two ways: searching the request here or signing in to our platform. Once signed in, users can even filter requests by their status or date submitted.

When your users can help themselves, they no longer need as much help from you. By providing these transparent avenues for status updates, we prevent an average of 7 phone calls per request. This saves your team up to 2 hours per request. ChartRequest also makes it easier to coordinate care with other healthcare providers and manage patient referrals. Your team can communicate directly with other physicians to ensure patients can get the most informed care possible. 

Learn about how our 5 tips for reducing burnout in healthcare can improve staff retention and ensure a great patient experience.
Computer Laptop
Medical records are a crucial aspect of healthcare, providing healthcare providers with comprehensive information about a patient’s medical history. If you’re still keeping records on
Retrieving Client Medical Records
Learn how care coordination software can help your hospital improve the patient experience, reduce overhead costs, and increase revenue.
Information Blocking
The Cures Act information blocking exceptions enable healthcare providers to adjust or decline certain medical records requests.
Accounting Disclosures
An accounting of disclosures is more complicated than one may think, so we've assembled a guide for healthcare providers to navigate accounting requests.
Law Firm
On November 28, 2022, the Substance Abuse and Mental Health Services Administration (SAMHSA) released a Notice of Proposed Rulemaking in collaboration with HHS through OCR.