Is mFax HIPAA compliant? (2026 update)

mFax is an online cloud fax service for sending and receiving faxes digitally, commonly used for healthcare fax workflows. Documo markets this cloud fax offering as HIPAA-aligned and says BAAs are available for covered entities that need one.

Is mFax HIPAA compliant? Yes, mFax can be HIPAA compliant, but only when you sign a BAA and configure the service to meet your Security Rule obligations.

What changed this year

As of February 2026, Documo still describes BAAs as available for its cloud fax services.

Recent contract language also adds clearer AI-related boundaries. Documo’s subscription agreement includes the statement, “Documo shall not use Protected Health Information (“PHI”) for purposes of training machine learning or artificial intelligence models for use by other customers.”

Will mFax sign a business associate agreement (BAA)

Yes. Documo says customers who need a BAA should email support to receive a BAA for signature and return to their site.

What does the mFax BAA cover

Documo does not post the full BAA text publicly. The vendor instead provides a signed copy upon request.

Conclusion

mFax can be HIPAA compliant when Documo signs a BAA with the customer and the customer configures access controls, auditing, and operational processes to meet HIPAA requirements.

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

What is a business associate agreement?

A BAA is a contract between a HIPAA covered entity and a vendor that handles PHI, and it sets privacy and security duties for the vendor.

What is HIPAA?

HIPAA is the U.S. law and set of rules that protect certain health information, including privacy and security standards for PHI.

Who does HIPAA apply to?

HIPAA applies to covered entities and to business associates that perform services involving PHI for those covered entities.