ChartRequest - Logo - Color
Close this search box.

Is Faxing Medical Records HIPAA Compliant?

fax machine

As fax machines grow increasingly outdated, it seems the healthcare industry is one of the few that still uses them. They’re one of the more basic ways to maintain HIPAA compliance because there’s less gray area, but there are tradeoffs. In this article, we’ll cover some of the pros and cons of using fax machines for exchanging protected health information.


Of all the antiquated methods of exchanging protected health information, the fax machine is the industry standard. However, your team must take special care to ensure HIPAA compliance. 

Adhering to HIPAA throughout the release of information requires an understanding of the Security Rule and the Privacy Rule. These rules set out the guidelines for what information you must protect and what safeguards you must put in place.

The Privacy Rule expanded patient rights to access their medical information while establishing baseline regulations to safeguard protected health information. Part of this burden is identifying what information your team must protect, which HHS labels individually identifiable health information.

According to HHS, this information includes any records of the patient’s care, including medical information and billing details. Additionally, any information that could identify the individual, including name, birth date, address, etc.

A risk of faxing medical records, like texting them, is that there’s no guarantee the individual on the other end will be authorized to view them. Fortunately, because people don’t carry fax machines around in thieir pockets like cell phones, the risk is lower.

To avoid unauthorized disclosure, it’s important to put a HIPAA-compliant faxing sheet in front. This page will be completely void of personal identifiable health information, so prying eyes can’t immediately see their information.

The Security Rule imposes technical, physical, and administrative regulations for the exchange of PHI. Because fax is old technology, the limitations actually reduce the risk of mass breaches.

Faxes can’t be encrypted. This means that anybody who intercepts the fax will be able to view the contents. This process, however, requires physical access to the phone line. It’s illegal for unauthorized individuals to mess around with telephone lines, and this is a more public crime than hacking.


When you say the word fax, the two thoughts that may come to mind are bulky fax machines and the terrible piercing sounds they make. Fax functions are built-in to most modern printers but used by few. Outside the healthcare industry, courts, and legal offices, fax machines are growing uncommon. 

This is not for issues of security, quite the opposite actually. Fax machines are dying out because they’re so inconvenient to use. If your team can hook the fax machine up to a computer and share files without printing and scanning, it’s slightly easier. We’ll dive into what makes fax machines inconvenient soon, but first, let’s finish covering their security.

Part of what makes fax machines seem so secure in modern healthcare is the minimal risk of mass breaches. Because fax machines generally send records one at a time directly to their recipient, intercepted faxes put only that person at risk.

This is opposed to email. With this method, hackers can remotely access any information and messages that the user hasn’t deleted. Both methods of exchange can go awry due to human error if, for example, the sender enters the wrong recipient information.

An unexpected risk, however, is the disposal of fax machines used by healthcare professionals. Deleted information doesn’t vanish from the hard drive. The machine simply labels the blocks of space as clear. Until someone saves new data, the original data will remain accessible with the proper knowledge.

Fax machines store all data they scan in order to share it. This means you must wipe the machine’s memory clear before disposal.


At first glance, electronic fax services may seem like a more modern option, but it doesn’t come without its problems. An electronic fax service essentially converts a digital image into the type of message fax machines understand. These messages travel via a phone line, like any other fax.

With proper encryption measures on the sending side, e-fax exchange can be just as secure as regular faxing. A weakness, however, is one that e-fax shares with email. If a hacker manages to break into an account that has sent or received medical records, the information is accessible. 

It’s important to research the options for the various e-fax services, as not all options are HIPAA compliant. Furthermore, HIPAA-compliant platforms may charge extra for the additional security. This is on top of preexisting costs for faxing, which generally increase as the volume of faxes increases. 

While HIPAA breaches caused by e-fax have less potential for major leaks than email, there’s a greater risk than traditional fax. The reason for this is that both of these digital options don’t automatically delete the data shared. Hackers who break into these types of accounts can view anything that hasn’t been manually deleted by the user. 

E-fax can be helpful for healthcare organizations that don’t wish to deal with the hassles of a traditional fax machine. If transmitting protected health information this way, remember that the receiver will receive their e-fax the same way they would get regular faxes.

Keep in mind not only the guidelines for traditional fax but also digital methods. For example, continue to use cover sheets and change your password frequently. Always double-check the fax number before sending it, and always adhere to the “minimum necessary” standard. 


There are certainly benefits to using fax to share urgent information. Compared to physical mail, fax is very quick. Compared to SMS and MMS texting, fax is secure. Unfortunately, it is still an antiquated and inefficient method for regularly releasing protected health information.

The release of information process is already extremely time-consuming and complicated for healthcare professionals. Depending on the method of release, there are several points of human input where your team can make mistakes. Fax especially has a lot of ways the exchange can go wrong.

First, fax isn’t always reliable. When your staff sends a fax image, the machine essentially separates the image into cells. It then converts the image into code line-by-line. The sound that plays if you’ve ever answered incoming fax is the language of the machine. This sound tells the receiving machine which cells are dark, which are light, and so on. 

The fax machine only sends this data once, however. This means that if there’s any sort of interruption or interference, the fax can fail. This delays requests, especially if the receiver has no idea the fax was attempted. 

Additionally, sharing a record via fax takes longer than the other methods. This is doubly true if the machine cannot easily fax digital files from the server. In this case, you must print the entire record, scan it with the fax machine, and send it that way. 

Medical records files can be huge, but fax is even more inconvenient for longer files. The more pages a requestor needs, the longer the document takes to scan. This increases the chance that there will be a feeder jam or similar error that requires rescanning. 

Finally, because your team created physical files to scan, they must be shredded as soon as possible. 


If you requested medical records to be released via fax for yourself, a family member, or a client, you can help make sure they’re released swiftly and securely. Don’t just submit the request and assume you will receive the records. 

We’ve found that the average medical records request involves 7 phone calls for status updates. These updates help healthcare providers meet the 30-day HIPAA deadline (or any shorter state deadlines). This is especially important with fax, as there’s the risk that the fax could fail. 

If you put in this extra effort, you shouldn’t have any trouble getting your records sent in a timely manner. Ideally, the healthcare provider will give you a rough time estimate on when you can expect to receive the records. If not, keep a close eye on your fax machine.

If you’re a patient requesting records to your home fax machine, you shouldn’t have to do much else beyond keeping your fax machine active. There should be no unauthorized individuals to threaten a breach in your home. 

If this is not the case and you feel your records wouldn’t be safe in the tray, keep a close eye on your machine. This goes doubly for professional requestors with increasing urgency for every individual with access to the fax machine. 

Once they arrive, create a digital copy and shred the paper documents or file them away in a locked drawer. If you notice an issue with your records, reach out to the healthcare professional as soon as possible.


If you absolutely must release medical records via fax, it’s important to take every precaution possible. Not only does this increase the chances that patient PHI remains secure, but also reduces your organization’s culpability in the event of a breach. This means lower monetary and civil penalties. 

Start with the basics of any request. Verify that the patient’s authorization form is signed and valid. A valid form should include:

  1. Description of the requested information
  2. Name of the patient and/or requestor
  3. Name of the recipient
  4. Reason for the disclosure
  5. Expiration date or event
  6. Signature of the patient or representative with the date

Once this is verified, retrieve the records in accordance with the “Minimum Necessary” rule. This, simply put, means you should only be releasing the minimum records necessary to fulfill a request. Comb through the records to make sure irrelevant information is not included.

Once you’ve collected the relevant records, double-check to make sure they are 100% accurate for the request. When you feel confident that you’ve fulfilled the request, be sure to double-check the recipient’s fax number.

Be sure to keep a copy of the request on file in the case of an audit. It’s also worth maintaining a log of when medical records are released. This can help both when requestors call for status updates and if the records fail to arrive. 


The release of medical records doesn’t need to be difficult, but antiquated methods like fax make it overly complicated. Between the additional administrative steps, aging technology, and the number of points of potential human error, there are better options for your requestors, your staff, and your organization.

ChartRequest was designed to facilitate the release of information as efficiently and securely as possible. Our software empowers your organization to handle more records in less time, reducing the administrative burden of medical records exchange.

One of the ways we reduce the workload for your team is by empowering your requestors to help themselves. We provide the simplest HIPAA-compliant medical records request process available, and our dedicated support team is ready to help ensure your requestors are successful.

Additionally, we allow requestors to check the status of their requests in real time. This can be done in two ways: searching the request here or signing in to our platform. Once signed in, users can even filter requests by their status or date submitted.

When your users can help themselves, they no longer need as much help from you. By providing these transparent avenues for status updates, we prevent an average of 7 phone calls per request. This saves your team up to 2 hours per request. ChartRequest also makes it easier to coordinate care with other healthcare providers and manage patient referrals. Your team can communicate directly with other physicians to ensure patients can get the most informed care possible. 

6 Types of Healthcare Audits For Insurance Companies
Healthcare audits are an essential part of maintaining fairness and accountability as a payor in the healthcare industry.
How Can ERP Insurance Optimize Risk Management?
ERP insurance coverage offers protection from financial losses for a limited period after an existing coverage plan expires.
Leverage Medical Records For Mass Tort Payouts
Mass tort payouts can be massive, but they often require quick and accurate access to your clients' medical records.
Hackensack Meridian Health Penalized $100K For Medical Records Right of Access Penalty
Hackensack Meridian Health, also known as Essex Residential Care, recently faced a $100,000 penalty for Right of Access failure.
What Is the Epic Vs. Particle Health Dispute Regarding Carequality?
The dispute between Epic vs. Particle Health has healthcare professionals split, and this article provides an unbiased breakdown.
Mass Tort Litigation Guide for Personal Injury Attorneys
Mass tort litigation can be a practical way to pursue compensation for numerous personal injury and medical malpractice claimants.

Want to Stay Updated?

Subscribe to our newsletter to learn:

  • Tips to Ensure Compliance
  • Strategies for ROI Success
  • Relevant Healthcare News

We respect your inbox, so we’ll only reach out to share high-quality content.

Sign Up for Automated Care Coordination Updates!

Our automated care coordination and referral management solution is coming soon!
If you’d like to be the first to learn new information and find out when it’s ready, please fill out this form:
This field is for validation purposes and should be left unchanged.