HIPAA compliance

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing HIPAA privacy and security standards, and is responsible for conducting inspections, reviewing complaints, and conduct an educational activity.

But let's go to the worst-case scenario, non-compliance. In the event of HIPAA non-compliance, these agencies will ensure that businesses take corrective action and also take the following actions:

If the HIPAA breach affects more than 500 people, your business will be listed in the OCR's public record including the breach, the number of people affected and the date.

Also, depending on the extent of the HIPAA violation, your business may have to pay fines and even face criminal penalties in the most serious cases.

For this reason, all entities and companies that operate in the healthcare sector must ensure the regulations, using solutions that are HIPAA compliant, such as eComFax®, which fully complies with the HIPAA regulation for the healthcare sector.

What is the HIPAA fax rules?

HIPAA governs the privacy of medical information, ensuring the privacy of patients. Under HIPAA, professionals must observe the three rules of the law that govern privacy and security. These are the following:

Privacy Rule: Ensures privacy by keeping information that could identify a patient protected.

Security Rule: This rule governs how professionals keep electronic medical records safe.

Breach Notification Rule: If a security or data breach occurs, this rule governs who an entity reports and how.

Meet HIPAA fax requirements

HIPAA compliant virtual fax services ensure files are transmitted in accordance with the security rule. In addition, covered entities must regularly assess security risks, take reasonable steps to prevent breaches, document record keeping methodology, and audit systems to ensure information security.

In addition, physical security measures must be in place to prevent unauthorized access to computers, software, or documents that may contain private medical information.

HIPAA Fax Policy

The law does not specifically mention fax regulations, instead, taking a technology neutral approach, organizations must adhere to requirements aimed at keeping patient information secure. When it comes to a HIPAA fax service, the following necessary requirements must be met:

Correct recipient: Steps should be taken to ensure that faxes are sent to the correct recipient and no unnecessary mistakes are made.

HIPAA Compliant Fax Cover Sheet: A cover sheet is required to indicate the confidential nature of the information included.

A HIPAA compliant virtual fax service, such as eComFax®, ensures the secure transmission of confidential data such as patient clinical data, offering advanced security features such as SecureFax®, which can be set as the sending and delivery method, in a secure manner. that faxes do not leave the eComFax® platform, restricting their access to the registration of both parties in eComFax®.

By using the virtual fax solution, you don't need to worry about storing or destroying files or physical documents after sending or receiving them via fax, or even resting them in the fax machine waiting to be picked up, thus ensuring HIPAA security compliance.

eComFax® provides different security methods that are HIPAA compliant

Each action carried out in the application is monitored and recorded, leaving an unalterable log with the details of all the actions carried out by the users, being able to determine the authorship if necessary.

1. Exchange of encrypted documents

The fax protocol has inherent security features that make it a favourable medium for transmitting documents, avoiding interception or security breaches. We add encryption technology to this every time documents are transported to and from our network.

2. Encryption at Rest

All confidential data is encrypted at rest, this encryption protects your disk files, so that, if someone outside could access them, they would not be able to view them unless they have the decryption key. In eComFax® you cannot access this data in any usable way outside of our secure web portal.

3. Secure Socket Layer Protocol

Our web interface and API access can only be accessed over secure HTTPS connections. The SSL protocols enabled are TLS 1.2. In addition, eComFax® has enabled fingerprint (hash) calculation algorithms.

4. Data center security

All web servers, application servers, and databases are housed in state-of-the-art SSAE16 Type II secure facilities with redundant hardware, power, and Internet connectivity.

5. User authentication

All access points to the system require user authentication to access any secure data, in addition, recipients who want to view a SecureFax® or a PCIFax® have to register on the web, they must do a two-factor authentication procedure (a code will be sent via SMS to your mobile phone). We also implement automatic logout features for additional protection. The system includes advanced administrative controls with customizable user roles and permissions.

Access to the eComFax® platform for sending faxes can be done in the following ways:

  • Web page
  • Sending emails to mail subdomains * .ecomfax.com
  • Sending emails to the hipaa.ecomfax.com email subdomain
  • SDK web service.

Each of these accesses requires different security mechanisms to prevent fraudulent use by users who either are not registered on the platform, or are trying to impersonate an existing account to charge the costs of the service.

eComFax® Security Checklist

Safe and HIPAA compliant

We sign business partner agreements (BAA)*

PCI-DSS, GLBA, SOX compliant

Data at rest (in storage) protected by AES 256-bit encryption

Leverage Google's security model for cloud-based infrastructure

Web interface and API only accessible through a secure HTTPS connection

Web servers, application servers and databases housed in secure SSAE16 Type II facilities

All access points in the system require authentication to log in

All transmissions and activity are logged along with associated IP addresses for easy auditing

Customer Service and Technical Support specialized in the USA.

*Only with Enterprise subscriptions


Yes, eComFax® is HIPAA compliant by specifically addressing the protected health information of patients. The eComFax® sending and receiving processes are designed to comply with the most demanding regulations on the treatment of personal information, complying not only with HIPAA, but also with other financial sector regulations and legal practices.

When it comes to sending faxes, you must include a cover, whether you are sending a physical or digital fax. This cover adds an extra layer of protection for patient information.

The information included in the sheet must convey that the fax includes confidential information. Using the words "confidential" and "important" on the sheet helps ensure that you receive care. Do not put any information that could identify the patient on the cover. However, you must include your office contact number and a request to call immediately if the wrong person received the fax. These additions help ensure that you have the correct fax number on file.

Be sure to include the standard information on the cover page of the fax, such as the name and number of both the sender and recipient, the subject, and the number of pages.

Yes, you can use our API Rest to integrate virtual fax into your current communication system.

It is not necessary, all faxes transmitted through eComFax® servers are encrypted and HIPAA compliant, including those sent by fax machines connected to eComFax®.

Yes. Our virtual email fax service is included in all of our plans and can be used to enable email notifications for incoming and outgoing faxes. However, given the insecure nature of many email services, we do not recommend attaching faxes containing private information to emails directly. Instead, those files can be linked within the email and then accessed through our secure portal.