Is mFax HIPAA compliant?

Featured image

Share this article

mFax logo

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards.

Covered entities (CEs) and their business associates (BAs) must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).

We know the HIPAA industry is vast and that sending important documents securely to other providers or to patients is fundamental to patient care.

This is especially true with the recent digital transformation in healthcare and the current need to function more remotely.

RELATED: Historic Expansions of Telehealth to Combat COVID-19

Today, we will determine if mFax is HIPAA compliant or not.

About mFax

Based in Delaware, mFax is one of several online fax service providers that offer fax numbers for sending and receiving faxes through a web portal, by email, and/or even via mobile apps. mFax clients can use the company’s web interface or a personal email account to send faxes.

It is part of the Documo Suite, a document workflow solution created “to make documents easy, more secure, and friendly towards our planet.”

The company offers four plans: Solo, Team, Business, and Infinity. All plans include faxing to the U.S. and Canada. Finally, mFax allows users to keep their existing fax number or will provide one if necessary.

mFax and the business associate agreement

A BA is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI on behalf of a CE.

In this instance, mFax (Documo) is a BA for a healthcare organization if it transmits or stores PHI.


Generally, the HIPAA Privacy Rule allows CEs to disclose PHI to a BA if they receive assurance that the information is protected through a signed business associate agreement (BAA).

While mFax addresses HIPAA compliance within its blogs, there is no mention of signing a BAA. An mFax discussion from two years ago, however, suggests that Documo understands the importance of BAAs. CEs should contact the company for more information.

mFax and security

The mFax website contains a page dedicated to HIPAA regulations and HIPAA compliant faxing. And on the web page, mFax includes a list of its HIPAA compliant features:

1) Encrypted document exchange

2) At rest encryption

3) Secure socket layer protocol

4) Audit trails

5) User authentication at all system points

6) Data center security

Moreover, the company has an auto-logoff feature, advanced administrative controls, and IP address restrictions.

RELATED: Increase Online Security With a Robust Password Policy

The Documo Security web page states that the company uses the Google Cloud Platform because of its commitment to “safeguarding sensitive data.” As we have noted, Google Cloud services can be HIPAA compliant as long as a BAA is signed.

Is mFax HIPAA compliant?

The BAA is a key component of HIPAA compliance and mFax appears to offer a BAA, but CEs should contact Documo to confirm. Without one, if a breach or HIPAA violation occurs, a CE is liable.

RELATED: Healthcare Data Breaches – A Haunting Reality

Furthermore, mFax displays its stringent cybersecurity practices on its website and seems to understand what HIPAA compliance means.


mFax is HIPAA compliant with a signed BAA.

HIPAA compliant email—a better alternative to fax

However, rather than waste time and energy with physical and electronic faxing, CEs should stick to sending and receiving important documents through HIPAA compliant email.

Free Whitepaper “Kill the Fax”

Especially if there is uncertainty about a fax company signing a BAA.

RELATED: Fax Machines Are Terrible for Healthcare – Here’s Why

Paubox will not only sign a BAA but will also work tirelessly to keep you safe without any added steps for the sender or recipient. With Paubox Email Suite, CEs have all outbound email (and file attachments) encrypted by default; users can send messages from existing email platforms (such as Microsoft 365 and Google Workspace). Emails are delivered directly to your recipients’ inboxes—no passwords or portals are required.

When you need to send documents that contain PHI, HIPAA compliant email is the most secure method available.

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Kapua Iao

Read more by Kapua Iao

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022