Fjorra

Jul 9, 2026

Fax, HIPAA, and small clinics that need to move forward

Fax isn't banned under HIPAA. The exposure is in how you handle what comes through. Here's what that means.

Small clinics often run on fax because it’s what hospitals and insurance companies expect. The machine sits in the corner, receives referrals and prior auths, and someone manually enters the information into the system. It works, but it ties up staff time and creates gaps where protected health information sits on paper longer than it should.

The question isn’t whether fax is allowed. It is. HIPAA doesn’t ban fax machines. The regulation cares about how you secure and handle protected health information, not the specific tools you use to receive it. The exposure is in what happens after the fax comes through — who sees it, where it sits, how long it takes to file it, and whether it gets entered correctly.

What HIPAA actually says about fax

HIPAA requires that you protect patient information from unauthorized access and that you have reasonable safeguards in place. A fax machine in a locked room with limited access can meet that standard. A fax machine in a hallway where anyone walking by can read incoming pages probably doesn’t.

The law doesn’t specify whether you can use fax. It specifies that you need to control who accesses patient data, document your safeguards, and respond appropriately if something goes wrong. Fax is one tool. Whether it’s compliant depends on how you use it, not whether you use it.

That said, fax creates risk that newer tools don’t. A page sits in the tray until someone picks it up. If it’s busy, that might be hours. If someone misfaxes to your number, you’ve received someone else’s protected information, and now you need to handle that correctly. If your machine has a memory or stores logs, that’s another place data lives that you need to secure.

None of this makes fax illegal. It makes it harder to manage well. Clinics keep using it because the alternatives often require getting every external partner to change how they send information, and that’s not realistic for a small practice.

Where paper intake leaks time

When a referral comes in by fax, someone reads it, manually enters the patient information into your system, matches it to an existing record or creates a new one, files the paper copy, and follows up if anything’s unclear. That’s typically fifteen to thirty minutes per referral, depending on complexity and how complete the information is.

If the fax is hard to read, unclear, or missing information, it takes longer. If it goes to the wrong person first, it takes longer. If the patient calls before the referral is entered, staff has to explain they don’t have it yet, then go hunt for the fax. All of that is time that could go toward patient care.

The paper trail also creates exposure. The fax sits on someone’s desk until they get to it. It might get misfiled. Someone might pick up the wrong stack and take it home by accident. Every piece of paper with patient information on it is something you have to track, store securely, and eventually destroy according to your retention policy. Digital records don’t eliminate the risk, but they give you better control over who sees what and when.

Digitizing without a third party in the data path

Moving off fax doesn’t have to mean trusting a vendor with your patient data. Self-hosted solutions keep the data on infrastructure you control. You’re not sending protected information to someone else’s server. You’re receiving it directly into your own system.

A digital intake workflow typically works like this: external partners send referrals to a secure endpoint you control. The system parses the information, matches it to your records, and queues it for review. Staff verifies it’s correct, approves it, and it’s filed. The paper step is gone. The data never leaves your environment.

This doesn’t eliminate your HIPAA obligations. You still need to secure the system, control access, audit who sees what, and document your safeguards. But you’re doing that anyway. The difference is that the data flows directly into your records instead of sitting on paper first.

The key is that no third party processes the data. You’re not handing protected health information to a service that might store it, analyze it, or use it for other purposes. You’re replacing the fax machine with a system you run, on infrastructure you control, with the same level of access control you already have on your electronic health records.

That doesn’t make it automatically compliant. It makes it something you can secure the way you secure everything else. Whether it meets HIPAA standards depends on how you configure it, who you give access to, and whether you follow through on the administrative and technical safeguards the regulation requires.


Healthcare practices often keep fax running for years because replacing it feels like a compliance risk, and nobody wants to be the person who creates a HIPAA problem. We’ll review your intake workflow for free for one week and show you where the current process creates exposure and where moving off paper actually reduces it. You’ll get a written report with specific findings. Email [email protected] to start.

Tell us where the hours go. We'll find them in a week — free.

Free one-week legacy audit, no card, read-only. One written report of every manual re-entry, paper step, and dead system — priced. Then a fixed-quote cleanup (from $2,500) if you want it. You keep the report either way.

See what we fix