How FaxTerra implements HIPAA
HIPAA has no certificate — it’s a chain of security controls and signed agreements. Here’s ours, control by control, in plain language. Everything on this page is live for Healthcare-plan accounts today.
The controls, one by one
Each is a shipped part of the Healthcare plans — mapped to what HIPAA actually asks for.
A signed Business Associate Agreement
Every Healthcare account executes a BAA with FaxTerra electronically at signup, before any PHI is transmitted — no sales call, no negotiation cycle. You review the agreement at checkout and can download your executed copy from your account at any time. The executed BAA is retained as a legal record for the full six years HIPAA requires, and survives account closure by design.
Per-document encryption at rest
Every fax is encrypted with a unique per-document AES-256-GCM key, on top of encrypted storage and TLS 1.2+ in transit. Inbound faxes are encrypted in memory before they ever touch storage; a document is only decrypted when you view or download it — through a server-side proxy, never a public link — and that access is written to your audit log.
A complete, exportable audit log
Every view, download, and send of a document is recorded — who, what, when, from where — and retained for six years, exportable for your own compliance reviews. The log holds no fax content: pseudonymous user references plus access metadata only.
PHI-free notification emails
Notification emails for Healthcare accounts carry no PHI — no names, no fax numbers, no document details. They tell you a fax arrived or was delivered and link you to your encrypted inbox, where you authenticate to view it. No protected information travels over email.
BAAs down the whole vendor chain
Everywhere your PHI is stored or processed, a BAA is in place — our object storage, database, hosting, and error-monitoring vendors each operate under their own BAA with us. Your PHI never touches a vendor outside that chain, and our error monitoring scrubs PHI before any event leaves the app.
The phone-network leg: the conduit exception
The telephone-network transmission of a fax is carried by telecom carriers acting as conduits under HIPAA's conduit exception — the same legal basis on which postal mail, the telephone, and every fax operate. A conduit that merely transports PHI without accessing it doesn't require a BAA; everywhere your documents are actually stored or processed, one is in place.
What we don’t claim
Being straight about the boundary is part of being trustworthy.
There is no such thing as "HIPAA-certified." HIPAA has no certificate and no certifying body. Any fax service that implies otherwise is overstating. We self-attest to the controls above and sign a BAA covering the storage and processing of your PHI.
We do not hold HITRUST or SOC 2 certification at this tier. Those are enterprise attestations. If your organization requires a third-party certification today, we will tell you we are not there yet rather than imply we are.
We are compliant online fax, not an interoperability platform. FaxTerra Healthcare does not offer EHR/EMR integration, Direct Secure Messaging, or a public API. It is for practices that need to fax PHI, done right — not to exchange structured records.
The full compliance picture, and what your data does over its lifetime, is on our security and privacy pages.
Common questions
Is FaxTerra HIPAA compliant?
On a Healthcare plan, yes — FaxTerra provides the controls HIPAA requires for faxing protected health information: a signed BAA, encryption in transit and at rest, an audit log, and PHI-free notifications. There is no such thing as being "HIPAA-certified" — HIPAA has no certificate or certifying body — so we self-attest to those controls and sign a BAA rather than claim a certification no one can actually hold.
How is PHI encrypted?
Each document is encrypted individually while stored — its own AES-256-GCM key per document — on top of encrypted storage, and it travels over an encrypted connection (TLS 1.2+). A document is only decrypted when an authorized user views or downloads it, through a server-side proxy, and that access is written to your audit log.
What about the phone-network leg of a fax?
The telecom transmission itself is handled by carriers acting as conduits under HIPAA's conduit exception (78 FR 5571) — the same basis on which every fax, phone call, and piece of postal mail operates. Everywhere your documents are stored or processed, a BAA is in place.
Do you have SOC 2 or HITRUST certification?
Not at this tier — those are enterprise attestations we do not currently hold, and we would rather say so than imply otherwise. What we do provide is the full set of technical and administrative HIPAA controls plus a signed BAA. If a third-party certification is a hard requirement for your organization, we are not the right fit today.
How do I get these controls on my account?
They come with any Healthcare plan. Start on the Healthcare page, pick a tier, and execute your BAA inline at checkout — every Healthcare tier carries the identical controls, so you are only choosing a monthly page allowance.
Compliance that’s built in, not bolted on
See the Healthcare plans, review your BAA at checkout, and start faxing PHI the compliant way.