25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Is eFax HIPAA Compliant?

Posted By on Feb 26, 2025

eFax is HIPAA compliant for covered entities and business associates that subscribe to a qualifying eFax account, enter into a Business Associate Agreement, and configure the service to support HIPAA compliance. However, due to concerns about the vendor’s HIPAA knowledge and messaging, this may not be the most suitable electronic fax solution for all organizations.

eFax is an electronic fax solution that enables customers to send, receive, and (in certain circumstances) store faxes via email and cloud services. In addition to supporting person-to-person faxes, eFax’s Enterprise Fax API enables customers to integrate fax processes between CRMs, ERPs, and EHRs – potentially eliminating many manual processes and saving healthcare organizations time and money.

However, when using eFax to send, receive, and store faxes that contain Protected Health Information, it is necessary for eFax to be HIPAA compliant. This means the software must have technical capabilities to support HIPAA compliance, the location of the vendor’s servers must be protected according to the Security Rule’s Physical Safeguards, and the vendor must comply with the Administrative Safeguards.

Does eFax Meet These Criteria?

eFax appears to meet the criteria to be HIPAA compliant, but there are caveats – and concerns. For example, with regards to having the technical capabilities to support HIPAA compliance, certain qualifying plans only support sending and receiving faxes electronically. Organizations that want to use the eFax service to store, manage, and audit faxes must subscribe to a Corporate eFax Secure account or use a secondary service to support the eFax service.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

With regards to eFax servers being protected against unauthorized access, there is no reason not to believe the “telco-grade colocation” facilities used by eFax comply with the Physical Safeguards. However, the eFax HIPAA Compliant Datasheet that supports this claim is nine years old. Consequently, organizations are advised to check if this information is still up to date and that eFax has a current Business Associate Agreement with its colocation provider.

Similarly, there is also no reason not to believe eFax complies with the Administrative Safeguards of the Security Rule. Indeed, on the vendor’s HIPAA Fax webpage, potential customers are invited ask prospective vendors if they have an on-staff compliance team certified as HIPAA faxing experts. This might also be an opportunity to ask eFax whether it complies with the HIPAA training requirements for all members of the workforce as required by §164.308(a)(5).

In respect of the other questions potential customers are invited to ask prospective vendors, there is an anomaly with regards to question #1 – “Is the fax solution you offer specifically designed to be HIPAA compliant?” To answer this truthfully, eFax would have to say “no”, as the company started providing electronic fax services four years before the publication date of the Final Security Rule.  (There are several further faux pas throughout the eFax website).

Further Potential Areas of Concern

It was mentioned in the introduction that concerns exist about the vendor’s HIPAA knowledge and messaging. Many of the concerns about the vendor’s HIPAA knowledge come from HIPAA-related blog posts and marketing videos which (for example) ignore that patients have a right to request confidential communications via unsecure channels, that paper-to-paper faxes are not electronic PHI, and that encrypted email services are just as secure as encrypted fax services.

With regards to concerns about contradictory messaging, eFax’s “Protect” product page states eFax’s Protect service is “a HIPAA-compliant cloud fax service […] to transmit and store sensitive data including PHI and ePHI”. However, in the eFax Customer Agreement, Clause #7 states “You further agree not to use the Services to store any protected health information […] unless you are using eFax Secure.”  In most cases, an eFax Secure subscription is more expensive than an eFax Protect subscription.

It is also not possible to review a copy of eFax’s Business Associate Agreement without committing to a subscription. This means it is impossible to identify any clauses or conditions that may limit the use of the service in compliance with HIPAA. Effectively, without studying the fine print and asking the right questions, an organization could subscribe to an eFax service which does meet their needs and would need to subsequently upgrade to a more expensive service thereafter.

Is eFax HIPAA Compliant? Conclusion

On paper, eFax is HIPAA compliant. However, in addition to concerns about the vendor’s HIPAA knowledge and messaging – and the lack of a reviewable Business Associate Agreement – there are no resources on the vendor’s website that explain what configuration is required to make eFax HIPAA compliant (i.e., an Administrator Guide that explains access controls, activity monitoring, etc.). For this reason, eFax may not be the most suitable electronic fax solution for all organizations.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist