Skip to content
Z

Zoya Aslam

24 min read
B2B Vertical
#hipaa
#healthcare
#compliance
#baa
#online-fax

HIPAA-Compliant Online Fax in 2026 — Real BAA Chain

Diagram of the HIPAA-compliant fax BAA chain: user, Faxify software, SignalWire carrier, Google Cloud Storage

A quick honest disclosure before we start: this post is written by the team at Const Agility, LLC that builds Faxify, an online fax service for the United States and Canada. What follows is the buyer's-side diligence we'd want if we were the practice manager being told to "find a HIPAA-compliant fax service" — a clear-eyed look at where Faxify fits, where it doesn't, and how the underlying BAA chain actually works in 2026.

If you're short on time, jump to the BAA chain explained or skip straight to the how Faxify fits section.

TL;DR

  • The vendor is HIPAA-eligible; your workflow is HIPAA-compliant — and the carrier layer (SignalWire, Telnyx, Bandwidth, or similar) is where the BAA-bearing transmission compliance actually lives.
  • Faxify routes through SignalWire's HIPAA-eligible carrier infrastructure with BAA coverage, stores documents on Google Cloud under Google's BAA, and is transparent about the layers that are deliberately out of HIPAA scope (product analytics via Amplitude sees usage events only, never document contents).
  • Faxify itself is not a HIPAA-covered entity, and it's not party to your BAAs with downstream parties. We can sign a BAA with you covering Faxify's role in the chain; you're still responsible for the rest.
  • Competitor BAA availability varies. eFax Corporate signs BAAs at enterprise pricing (quote-only). RingCentral healthcare signs at the healthcare-plan tier. Fax.Plus Enterprise signs at $79.99/month annually. Faxify: no published tier ships with a BAA. HIPAA workflows require a custom business plan — email or call to start.
  • A timestamped carrier-confirmed "Delivered" receipt is the audit artifact you want. "Sent" — which most competitors report when the file finishes uploading to their server — is not the same thing and is not an audit trail.

⚠️ Compliance disclaimer: This post discusses HIPAA in the context of fax transmission. Faxify is a software service that routes faxes through HIPAA-compliant carrier infrastructure. Faxify is not itself a HIPAA-covered entity, and this post is not legal advice. If you transmit PHI, consult your compliance officer and ensure appropriate Business Associate Agreements are in place with all parties handling that data.

What "HIPAA-compliant fax" actually means

If you've been told to "find a HIPAA-compliant fax service," the first thing worth knowing is that the phrase itself is doing a lot of work. The short answer: vendors are HIPAA-eligible, workflows are HIPAA-compliant — and most of the work the phrase is doing is being done in the wrong place.

HIPAA's Privacy Rule and Security Rule apply to two categories of entity:

  • Covered entities — health plans, healthcare clearinghouses, and most healthcare providers who transmit health information electronically. The clinic, hospital, lab, insurance plan, or billing service the PHI belongs to.
  • Business associates — vendors that create, receive, maintain, or transmit PHI on behalf of a covered entity. The EHR, the email host, the cloud storage, the fax service, the billing platform.

A fax service handling PHI on your behalf is a business associate. That relationship is governed by a Business Associate Agreement (BAA) — a written contract spelling out what the business associate can do with the PHI, how it must protect it, how it handles breaches, and what happens at termination. No BAA, no PHI. That part is non-negotiable under HIPAA, regardless of how much the vendor's marketing page mentions "HIPAA-compliant" or "256-bit encryption."

So when a buyer asks "is this fax service HIPAA-compliant?", the honest answer in most cases is: the service is HIPAA-eligible, and the workflow built on top of it can be HIPAA-compliant once your end of the requirements is in place: policies, training, BAAs with every business associate in the chain, breach-notification plan, the lot.

That distinction matters because of how vendors market. Almost every fax service in the category will tell you they're "HIPAA-compliant." Some use the phrase as shorthand for "we're HIPAA-eligible and we'll sign a BAA." Others use it loosely without an actual BAA process. The way to tell the difference: ask one question — "Can I see your BAA?" A vendor with a real compliance posture sends one under NDA in a day or two. A vendor without one either invents terms on the fly or quietly fails to respond. This isn't a Faxify-specific point; it applies to every name on every comparison page in the category.

The three-layer model

Think of a HIPAA-eligible online fax service as three layers, each with its own compliance posture:

  1. The software you interact with (the app, the web dashboard, the API). This is what the vendor builds and markets. It typically isn't itself a HIPAA-covered entity — it becomes a business associate upon BAA execution with the vendor.
  2. The carrier layer (SignalWire, Telnyx, Bandwidth, or a legacy ILEC). This is where the actual fax transmission happens over T.38 and the public switched telephone network. The carrier is the layer with carrier-grade HIPAA-eligible infrastructure and is the entity whose BAA covers the wire.
  3. The infrastructure layer (cloud storage, database, hosting). This is where your documents and account metadata live at rest. The infrastructure provider (Google Cloud, AWS, Azure) is typically HIPAA-eligible under their respective BAAs.

When you're evaluating a vendor, you're asking three questions across three layers:

  1. Does the software vendor have a BAA with me?
  2. Does the software vendor have BAAs with the carrier?
  3. Does the software vendor have BAAs with their infrastructure providers?

A vendor that handles all three of those layers correctly is HIPAA-eligible. A vendor that handles only the first one — and assumes the rest will "just work" — is signing a contract they can't deliver on. The competitor pages worth reading are the ones that publish the chain. Almost none of them do.

The BAA chain: Faxify → SignalWire → GCP / Vercel

Here's the full chain for Faxify, the actual layers in the order PHI would touch them. We're publishing it because the most useful diligence question you can ask is "show me your chain," and we'd rather just put ours on the page.

LayerProviderHIPAA-eligibleWhat it sees
Software serviceConst Agility, LLC (Faxify)Not itself a HIPAA-covered entity — becomes a business associate upon BAA executionDocument at upload, draft state, send/receive metadata, account records
Fax transmission (T.38, G.711)SignalWire✅ Signs BAA; one BAA covers fax + voice + messaging + videoThe document during transmission to the recipient's fax machine
Document storage at restGoogle Cloud Storage✅ Under Google Cloud BAADocument at rest until deletion
Database (metadata, accounts)Google Cloud Firestore✅ Under Google Cloud BAAFax metadata (recipient number, page count, status timestamps), account records
AuthenticationFirebase Authentication✅ Under Google Cloud BAA scopeAuthentication tokens, account identifiers
Web hosting (all surfaces)Vercel✅ Vercel Pro hosts every Faxify web surface (www, app, mcp, API); BAA terms available at this tierMarketing pages (no PHI); request/response handling for app, API, and MCP (PHI in flight, not at rest)
Product analyticsAmplitude⚠️ Deliberately out of HIPAA scopeProduct usage events only (page views, feature taps, anonymous device IDs) — never document contents or recipient numbers

A few things worth calling out about this table.

SignalWire is where the wire-level BAA lives. Most online fax services that claim HIPAA eligibility route through one of a handful of carriers — SignalWire, Telnyx, Bandwidth — and the BAA covering the actual fax transmission is the one between the software vendor and that carrier. SignalWire's BAA is broad: one BAA covers voice, fax, messaging, and video on their platform. For Faxify, every paid plan routes through that BAA at the wire level. You're not paying extra for "the HIPAA tier" of the carrier — the carrier is what it is.

Google Cloud is where documents live at rest. Faxify stores fax documents in Google Cloud Storage and account metadata in Firestore, both under Google Cloud's BAA. That covers the "where does my data sleep" half of the question. When a user deletes a fax (from the app, web, or via our MCP server), the document is cleared from Google Cloud Storage and from SignalWire's carrier records. Deletion is real. For free and expired-paid accounts, fax documents and transmission metadata are auto-deleted 30 days after the last activity. Custom retention windows under a specific BAA are negotiated case-by-case.

Vercel hosts every Faxify web surface — one tier, one footprint. That includes www.faxify.com (this marketing site, no PHI), app.faxify.com (the web app), mcp.faxify.com (our MCP server for AI integration), and our API. Documents are POSTed from the iOS, Android, or web apps to a Vercel-hosted endpoint, briefly handled by serverless functions, and then streamed onward to Google Cloud Storage (where they live at rest under Google's BAA) and SignalWire (which transmits to the recipient under SignalWire's BAA). Some competitors split this differently (one host for marketing, another for the app); we've kept it consolidated to keep the chain auditable from a single vendor.

Amplitude is deliberately out of HIPAA scope, and we treat that as a feature. Amplitude is our product analytics. It tells us which features get used, where users drop off in onboarding, and how the apps perform across platforms. By design, we don't send PHI to Amplitude. The events we track are things like fax_sent, scanner_opened, cover_page_added, subscription_started: no document contents, no recipient fax numbers, no account-level identifiers that could be reverse-linked to a patient. Amplitude isn't HIPAA-eligible, and that's fine because no PHI ever reaches it. If a vendor's analytics stack does see PHI (and not all of them are explicit about whether it does), that's a chain link worth asking about.

This is the kind of granularity healthcare buyers tend to respect. If your IT person or compliance officer wants to see the full chain in a form they can paste into a vendor-management database, email faxify@constagility.com and we'll send a written summary you can attach to your records.

How competitor HIPAA fax services actually work

Healthcare buyers tend to encounter four kinds of vendor pages when they search for "HIPAA-compliant fax service." Here's an honest read on the three biggest ones plus where Faxify lands. The point of this section isn't to bash competitors; it's to flatten the marketing copy into something a procurement-minded reader can compare apples-to-apples.

eFax Corporate

eFax's healthcare-tier product is eFax Corporate — the option most enterprise procurement teams already know by name.

  • BAA available? Yes, on the Corporate tier.
  • Pricing visibility? Quote-on-request. The published page leads to a sales-call funnel, not a number. Expect enterprise pricing — multi-line setup fees, per-user seat costs, and per-page billing on top.
  • Trade-off: brand recognition is the moat. If your hospital has standardized on eFax and you don't have authority to introduce a new vendor, this is the path of least resistance. For a smaller practice or solo provider not getting an enterprise discount, the price is hard to justify.

RingCentral (healthcare plan)

RingCentral bundles fax with their voice + video + SMS platform, and offers healthcare-specific plans that include BAA support. The buyer profile is a clinic that wants one vendor for the whole communication stack.

  • BAA available? Yes, on the RingCentral healthcare tier with HIPAA-specific controls enabled.
  • Pricing visibility? Baseline plans are published; the healthcare tier is typically quoted. Entry-tier plans don't include the HIPAA configuration.
  • Trade-off: the value is the bundle. If you already need RingCentral for voice or video, the fax line riding on top is incremental. If you only need fax, you're paying for capabilities you won't use.

Fax.Plus Enterprise

Fax.Plus has cleanly-published pricing tiers for non-HIPAA use, with a separate Enterprise tier that includes BAA support. This is the most transparent of the three on the "you can see the number before you call sales" question.

  • BAA available? Yes, on the Enterprise tier specifically.
  • Pricing visibility? $79.99/month annually for Enterprise, published. Cheaper tiers (Basic at $6.99/mo, Premium at $13.99/mo, Business at $27.99/mo) do not include a BAA.
  • Trade-off: the number is honest, but $79.99/month is meaningfully more than most small practices need to pay for fax alone. For a 1–5 person clinic doing under a few hundred faxes a month, the Enterprise tier is built for an organization 5–10× your size.

Faxify

Where Faxify lands in this comparison is straightforward:

  • BAA available? No published Faxify tier ships with a BAA. HIPAA workflows require a custom business plan that covers the specific requirements (page volume, data residency, retention windows, breach-notification cadence, multi-account configurations). We're transparent that we're not a HIPAA-covered entity ourselves; Faxify becomes a business associate upon BAA execution. The BAA covers Faxify's role in the chain (the software service, the storage, the account records); SignalWire's BAA (between SignalWire and us) covers the carrier transmission layer. To start the conversation: email faxify@constagility.com or schedule a call with our founder.
  • Pricing visibility? Published pricing covers non-HIPAA workflows. Free tier (25 pages/month, no card). Paid plans start at $4.99/month (or $3.33/month effective on the annual plan, which also includes a dedicated fax number for receiving). Professional ($9.99/month) and Elite ($14.99/month) are the higher-volume tiers: Professional ships Fine fax-resolution mode, Elite ships Super Fine, both add email and phone support. Basic and Standard ship Standard fax-resolution mode with email-only support. Pricing for a custom HIPAA business plan is set during the requirements call.
  • What else is in the box? Faxify is the only service in this comparison that also bundles a mobile scanner, PDF tools (merge, split, compress, reorder, convert), and cover-page customization in the same app. For a small practice currently running a fax service + Adobe Scan + Smallpdf, that's a three-app stack consolidated into one.
  • Trade-off: Faxify operates in the US and Canada only, and is single-user today. If your practice needs 5+ named users on the same account with separate logins, talk to us first — we can frame the dedicated number as a shared business identity, but the back-end account model is single-user. For larger multi-tenant deployments, the enterprise-tier products above may fit better today.

For a per-tier pricing breakdown of all the major fax services, see Online Fax Pricing Compared (2026). For broader buyer recommendations across the category, see Best Online Fax Service in 2026.

Delivery confirmation is a compliance artifact

This is the one section a lot of HIPAA fax-evaluation guides skip, and it's the one that matters most in an audit.

When you fax PHI to a recipient — a referral to a specialist, a discharge summary to an insurer, a prior authorization request — and a year later that transmission becomes part of a chart audit, a billing dispute, or a regulatory inquiry, the question that's going to come up is: "Can you prove that fax was received?"

There are two answers most vendors offer:

  • "Sent." The file finished uploading to our server. This tells you nothing about whether the fax actually reached the recipient's machine. It's the equivalent of an email's "outbox" — the file left your hands, but you don't know if it arrived.
  • "Delivered." The recipient's fax machine confirmed it received every page. The carrier negotiated the T.38 (or G.711 fallback) handshake, transmitted the pages, and received an end-of-page acknowledgement for each one. This is what HIPAA-grade audit trails are built on.

Faxify reports "Delivered" only when the carrier (SignalWire) confirms end-of-page receipt at the recipient's machine. That's a timestamped artifact you can pull from the app — fax ID, recipient number, page count, send timestamp, delivered timestamp — and attach to a record. It's the same record SignalWire has on their side as the carrier of record, and if an audit ever needs to corroborate it from the carrier directly, the chain holds together.

Most competitors mark "Sent" when the upload completes. Some go further and report "Delivered" but only based on a server-side ACK that doesn't actually correspond to the recipient's machine confirming. If you're evaluating a service for a HIPAA workflow, ask exactly when the service flips the status to "Delivered" — and what the underlying signal is. The honest answer is "when the carrier confirms end-of-page at the recipient." Anything looser, and you don't have an audit trail.

A practical example: a clinic submits a prior authorization to an insurer, the patient's care gets denied two weeks later citing "no record of authorization," and the clinic needs to demonstrate the fax was received. With a carrier-confirmed delivered status timestamped to the minute, that's a one-screenshot resolution. With a "Sent" status from a vendor that doesn't confirm at the carrier layer, the clinic is in a he-said-she-said with the insurer's mailroom. Same fax, different audit posture.

Legal workflows have similar audit-trail needs — we'll cover the court-filing and service-of-process side in our upcoming online fax for law firms guide.

What you're still responsible for

No fax service — Faxify, eFax Corporate, RingCentral, Fax.Plus, anyone — makes your workflow HIPAA-compliant on its own. The vendor's job is to be HIPAA-eligible, sign a BAA with you, and operate within its terms. Your job is everything else:

  • Signed BAAs with every business associate in your chain. Not just the fax service — also your EHR, email host, cloud storage, billing platform, and any IT contractor with PHI access. The chain is only as strong as its weakest link.
  • Workforce training and access controls. Who can access PHI, how access is provisioned and revoked, how audit logs are reviewed. The fax service ships a tool; the policies on top of it are yours.
  • Breach notification plan. What happens if PHI is exposed via misdialed fax, lost device, or vendor incident. HIPAA has specific notification timelines, and the plan needs to exist before you need it.
  • Verifying the downstream recipient. A fax service can deliver a document; it can't verify the person on the other end is the right one. Misdialed faxes are a real source of PHI exposure incidents.
  • Risk analysis and risk management. HIPAA's Security Rule requires a documented risk analysis covering systems that touch PHI, including the fax workflow.

For broader background on the modernization conversation around fax in healthcare, see our analysis of digital faxing in 2026. For the buyer-side overview of online fax in general, see what online fax is.

How Faxify actually fits in a HIPAA workflow

Here's the cleanest statement of where Faxify fits in a HIPAA workflow.

Faxify is a software service. We're not a HIPAA-covered entity. Upon BAA execution, Faxify becomes a business associate with respect to the PHI that passes through our service. Our BAA covers what we do: handle your document at upload, render it for transmission, ship it to SignalWire for carrier delivery, store it in Google Cloud Storage at rest, and surface the delivery status back to you. SignalWire's BAA — between SignalWire and us — covers the carrier transmission layer. Google Cloud's BAA covers the document at rest.

In practical terms, that means:

  • The free tier is non-HIPAA. Free tier (25 pages/month, no credit card) is for evaluating the app, not for production PHI.
  • HIPAA workflows require a custom business plan. No published Faxify tier ships with a BAA. A custom plan covers the specific requirements (page volume, data residency, retention windows, breach-notification cadence, multi-account configurations). Email faxify@constagility.com or schedule a call with our founder. We send the BAA template under NDA, usually within a day or two of the requirements call; custom terms are surfaced on that call.
  • Pricing (published tiers). Basic plan is $4.99/month, or $3.33/month effective on the annual plan. Standard is $7.99/month, Professional is $9.99/month, Elite is $14.99/month — page volumes scale across the tiers. Every annual plan includes a dedicated fax number for receiving. On monthly billing, only Professional and Elite include the number; Basic monthly and Standard monthly are send-only. Fax-resolution mode tiers too: Basic and Standard ship Standard mode, Professional ships Fine mode, Elite ships Super Fine. Email and phone support are on Professional and Elite; Basic and Standard get email-only support.
  • You get the same toolkit healthcare admins keep asking for. Built-in mobile scanner (intake forms scanned from paper land directly in the fax queue), PDF tools for merging discharge summaries before sending, cover-page customization with a visual signature for the "From / To / Re:" header, and the carrier-confirmed delivered status on every send. The single-app workflow is, by itself, a real argument against the three-app stack most practices currently run.

When Faxify is not the answer

In keeping with the rest of our blog, here's the honest list of where Faxify isn't the right HIPAA fax choice:

  • Multi-user clinics with separate per-user logins. Faxify is single-user today. If your front desk has five staff each needing their own login on the same fax line, we don't fit yet. Consider RingCentral healthcare or an enterprise eFax deployment.
  • International fax destinations. Faxify delivers to US and Canada fax numbers only. For PHI workflows that need to fax internationally (rare but real — international referrals, foreign labs), eFax Corporate has broader coverage.
  • Procurement processes that require a specific vendor name. If your hospital's IT department has already standardized on eFax Corporate or RingCentral and switching requires a 6-month vendor review, the cost of introducing a new vendor may exceed the savings.
  • Workflows that need integrated EHR connectors. Faxify is a standalone fax service. We don't integrate directly into Epic, Cerner, or eClinicalWorks today. If your workflow expects faxes to land in the patient chart automatically without manual filing, talk to your EHR vendor about their preferred fax integration.
  • High-volume practices needing 5,000+ pages/month. Our published plans top out at 2,000 pages/month on the Elite tier. For higher volumes, custom-tier pricing is available — but at very high volume, an enterprise-tier competitor may have economies of scale we don't.

For broader recommendations on HIPAA-eligible online fax across more buyer profiles, see our hub post on the best online fax service.

FAQ

Is Faxify HIPAA-compliant?

Faxify itself is not a HIPAA-covered entity. Faxify routes faxes through SignalWire's HIPAA-eligible carrier infrastructure with BAA coverage, and stores documents and metadata on Google Cloud under Google's BAA. If your workflow involves PHI, you remain responsible for your own HIPAA posture, including a signed BAA with Faxify before transmitting PHI in production. No published Faxify tier ships with a BAA — HIPAA workflows require a custom business plan that covers your specific requirements. Email faxify@constagility.com or schedule a call with our founder to start the conversation.

Do I need a BAA to send faxes containing PHI?

Yes. Under HIPAA, any vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity is a business associate and must have a signed Business Associate Agreement in place before that PHI is shared. That applies to your fax service the same way it applies to your EHR, your email host, and your billing platform. No BAA, no PHI — that's the rule, regardless of how "secure" the service markets itself.

What is the difference between "HIPAA-eligible" and "HIPAA-compliant"?

HIPAA-eligible means the service has the security controls and contractual posture (encryption, access controls, audit logs, willingness to sign a BAA) needed to be used in a HIPAA-compliant workflow. HIPAA-compliant is what the workflow is once all the pieces — the covered entity's policies, the BAAs with every business associate, the workforce training, the breach-notification plan — are in place. Vendors are eligible. Workflows are compliant.

How is Faxify different from eFax Corporate or Fax.Plus Enterprise for HIPAA workflows?

All three offer BAAs. The differences are price, transparency, and what's bundled. eFax Corporate is enterprise-priced with quote-on-request — most healthcare buyers won't see a number until a sales call. Fax.Plus's HIPAA BAA is gated to the $79.99/month Enterprise tier. Faxify has no published BAA tier; HIPAA workflows use a custom business plan covering page volume, data residency, retention, and multi-account configurations. Pricing is set during the requirements call. The all-in-one toolkit (fax + scanner + PDF + cover-page customization) is included on every paid tier — competitors ship fax only.

Where are HIPAA fax documents stored?

Faxify stores fax documents in Google Cloud Storage and account metadata in Google Cloud Firestore, both under Google Cloud's BAA. When a user deletes a fax (from the iOS app, Android app, web app, or via the MCP server), the document is cleared from storage and from carrier records at SignalWire. For free and expired-paid accounts, fax documents and transmission metadata are automatically deleted 30 days after the last activity or subscription expiry. For shorter retention windows under a specific BAA, email faxify@constagility.com.

What if the recipient I'm faxing isn't HIPAA-compliant?

That doesn't change Faxify's posture, but it changes yours. HIPAA permits PHI transmission to a recipient who is themselves a covered entity, business associate, or otherwise permitted recipient under the Privacy Rule. If you're faxing PHI to a clinic, hospital, lab, or insurer, they're typically covered. If you're faxing to a vendor or contractor handling PHI on your behalf, you need a BAA with them. If you're faxing to anyone outside that scope, that's a workflow problem your compliance officer needs to weigh in on — the fax service can't make that determination for you.

Is a fax "Delivered" status a HIPAA audit artifact?

A timestamped delivery receipt is part of the audit trail you'll want if a PHI transmission is ever disputed or audited. Faxify reports "Delivered" only when the recipient's fax machine confirms it received every page — carrier-confirmed at the SignalWire layer, not just when the file finished uploading. Most competitors report "Sent" when the file leaves their server, which tells you nothing about whether the fax reached the recipient. For HIPAA workflows, carrier-confirmed delivery is the artifact you want in the record.

For business volume or compliance needs

If you're a practice manager, healthcare IT lead, or compliance officer evaluating Faxify for a regulated workflow, the fastest way to get specific answers is to talk to a real person. Email faxify@constagility.com or schedule a call with our founder, Jangul Aslam. We'll send our BAA template under NDA, walk through the chain in writing, and discuss any custom terms — data residency, shorter retention, specific breach-notification cadence, multi-account configurations for small clinics. You'll get a real person on email, phone, or video, never a chatbot dressed up as support.

Ready to send a fax?

Faxify is free for the first 25 pages every month, with no credit card and no trial. The free tier is non-HIPAA. Paid plans start at $4.99/month (or $3.33/month effective on the annual plan, which adds a dedicated fax number for incoming faxes). For HIPAA workflows, the custom business plan path above is the right shape — no published tier ships with a BAA.

Download Faxify for iOS · Get Faxify for Android · Use Faxify on the Web

Don't need fax? Try NxtTools

NxtTools is our companion app — the same PDF tools, scanner, and document toolkit as Faxify, minus the fax core. Free, ad-supported, no account required. NxtTools is not HIPAA-eligible and is not the right tool for PHI workflows; it's the consumer-side companion for non-regulated document handling.

NxtTools at nxt.tools

Written by Zoya Aslam at Const Agility, LLC — makers of Faxify.

Z

About Zoya Aslam

Business Operations Lead, Faxify

Leads business operations and customer experience at Faxify. Writes about online fax fundamentals, pricing, and how small businesses, healthcare practices, and law firms actually use fax in 2026.

View Zoya's LinkedIn profile →

Share this article

Send 25 Free Pages/month