Avofax
Compliance

The Complete HIPAA Fax Compliance Checklist for 2026

David Park

David Park

HIPAA Security Specialist

November 28, 2025
Updated April 6, 2026
15 min read

Quick Summary

  • *HIPAA requires administrative, technical, and physical safeguards for all PHI transmission including fax
  • *Key requirements include workforce training, access controls, audit logs, and secure disposal
  • *This checklist covers 47 specific items across all three safeguard categories

Is your organization ready for a HIPAA audit? This detailed checklist covers every aspect of fax compliance, from administrative policies to technical safeguards. Use it to assess your current practices and identify gaps before auditors do.

Checklist Overview

The HIPAA Security Rule requires covered entities to implement safeguards that protect the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI). While traditional analog fax operates on phone lines, cloud fax and fax servers fall under ePHI requirements.

This checklist organizes 47 compliance items across the three safeguard categories required by HIPAA. Each item is marked as either:

  • Required (R): Mandatory for all covered entities
  • Addressable (A): Must implement or document why alternative approach is used
47
Specific compliance items covered in this checklist

Administrative Safeguards

Administrative safeguards are the policies, procedures, and training that govern how your organization handles PHI via fax.

Security Management (R)

  • Written fax security policies and procedures exist
  • Risk analysis includes fax systems and workflows
  • Sanctions policy for fax-related violations is documented
  • Regular review of fax activity logs for suspicious activity

Assigned Security Responsibility (R)

  • Security officer designated with responsibility for fax compliance
  • Privacy officer oversight of fax-related disclosures

Workforce Security (R)

  • Background checks for staff with fax access to PHI
  • Access to fax systems limited to job-necessary personnel
  • Termination procedures include revoking fax system access

Security Training (A)

  • Initial fax security training for all staff handling PHI
  • Annual refresher training on fax security procedures
  • Training documentation maintained for each employee
  • Training covers misdirected fax prevention
  • Training covers proper fax disposal procedures

Incident Response (R)

  • Incident response procedures for misdirected faxes
  • Breach notification procedures documented
  • Incident log maintained for fax-related security events

Business Associate Management (R)

  • BAA in place with cloud fax provider
  • BAA covers all required elements per HIPAA
  • Vendor compliance documentation obtained and reviewed

Ready to modernize your healthcare fax?

We built Avofax for HIPAA-compliant cloud fax with instant delivery, BAA included at no extra cost.

Technical Safeguards

Technical safeguards are the technology and related policies that protect ePHI and control access to it.

AvoFax activity log displaying a detailed audit trail with timestamped records of fax views, downloads, and transmissions for HIPAA compliance
AvoFax automatically maintains a HIPAA-compliant audit trail — every action is logged with user identity, timestamp, and IP address.

Access Control (R)

  • Unique user IDs for fax system access
  • Emergency access procedures documented
  • Automatic logoff after period of inactivity
  • Role-based access controls implemented

Audit Controls (R)

  • Fax activity logging enabled (send, receive, view)
  • Logs include user ID, timestamp, recipient, action
  • Logs retained for minimum required period (6 years)
  • Regular audit log review procedures in place

Integrity Controls (A)

  • Mechanisms to verify fax integrity during transmission
  • Transmission confirmation validates page count

Authentication (R)

  • Strong password requirements for fax system access
  • Multi-factor authentication available (A)
  • Password change requirements documented

Transmission Security (A)

  • TLS encryption for cloud fax web interface and API
  • AES-256 encryption for stored faxes
  • Encrypted email delivery for fax-to-email

Physical Safeguards

Physical safeguards protect the physical equipment and facilities where PHI is stored or transmitted.

Facility Access (A)

  • Fax machines located in secure, non-public areas
  • Access to fax areas restricted to authorized personnel
  • Visitor access policies for areas with fax machines

Workstation Security (R)

  • Workstations accessing cloud fax secured with screen locks
  • Clean desk policy for fax documents
  • Procedures for retrieving faxes promptly

Device and Media Controls (R)

  • Secure disposal (shredding) of printed faxes
  • Fax machine memory cleared before disposal/transfer
  • Data destruction procedures for cloud fax accounts

Vendor Requirements

If you use a cloud fax service, ensure your vendor meets these requirements:

  • Vendor provides Business Associate Agreement
  • Data centers located in United States
  • Encryption at rest and in transit
  • Role-based access control capabilities
  • Audit logging and reporting
  • Breach notification procedures documented
  • Data retention and destruction policies

Avofax Compliance

Avofax meets all vendor requirements listed above. We provide BAAs at no cost, use US-based data centers, and implement full encryption, access controls, and audit logging.

Documentation Requirements

HIPAA requires that policies and procedures be documented and retained for six years. Ensure you maintain:

  • Written fax policies and procedures
  • Risk assessment documentation including fax
  • Training records for all staff
  • Business Associate Agreements
  • Incident response logs
  • Audit log reviews and reports
  • Policy review and update history

Audit Preparation Tips

When preparing for a HIPAA audit, focus on these areas for fax compliance:

Common Audit Focus Areas

  • Policy documentation: Auditors will ask to see written policies. Ensure they are current and thorough.
  • Training records: Be prepared to show training documentation for each staff member.
  • BAA verification: Have all vendor BAAs organized and accessible.
  • Risk assessment: Your risk assessment should specifically address fax systems and workflows.
  • Incident history: Be prepared to discuss any past incidents and remediation steps.

Pre-Audit Self-Assessment

Conduct a self-assessment using this checklist before any audit. Address gaps proactively. Document why you chose alternative approaches for any addressable requirements not implemented.

Conclusion

HIPAA fax compliance requires attention to administrative, technical, and physical safeguards. This checklist provides a complete framework for assessing and improving your compliance posture.

Key takeaways:

  • Document all policies and procedures in writing
  • Train staff and maintain training records
  • Use HIPAA-compliant vendors with signed BAAs
  • Implement technical safeguards including encryption and access controls
  • Regularly review and update your compliance program

Ready to simplify your HIPAA fax compliance? Get started with Avofax and get built-in compliance with BAA included at no extra cost.

David Park

David Park

HIPAA Security Specialist

David specializes in HIPAA security assessments and breach prevention. He holds CISSP and HCISPP certifications and has conducted over 200 security audits for healthcare organizations.

Ready to upgrade your healthcare fax?

Join thousands of healthcare organizations using Avofax for HIPAA-compliant, reliable faxing. Get started today.

Related Articles

Compliance
9 min read

Business Associate Agreements for Fax in 2026: What to Require

Security
12 min read

$2.5 Million HIPAA Fines: Fax Security Case Studies

Security
11 min read

Fax Encryption Explained in 2026: TLS, AES, and End-to-End Security

Stay Updated

Get the latest healthcare fax insights delivered to your inbox.