← Back to FaxDash

HIPAA Compliance

Last updated: March 31, 2026

Our Commitment

FaxDash is committed to protecting the privacy and security of Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act. We understand that healthcare providers, insurance companies, and other covered entities rely on fax for critical communications, and we take that responsibility seriously.

Business Associate Agreement (BAA)

FaxDash will execute a Business Associate Agreement (BAA) with any covered entity or business associate that uses our service to transmit, receive, or store PHI. Our BAA outlines our obligations to protect PHI in accordance with HIPAA requirements.

To request a BAA, contact us at hipaa@faxdash.io.

Technical Safeguards

  • Encryption at Rest — All documents and data are encrypted using AES-256 encryption via AWS server-side encryption (S3 and DynamoDB).
  • Encryption in Transit — All data transmission uses TLS 1.2 or higher. No unencrypted connections are accepted.
  • Access Controls — Unique user authentication via JWT tokens and API keys. No shared accounts or anonymous access.
  • Audit Trail — Immutable audit logging of all document access, views, downloads, and modifications with timestamps and user identification.
  • Automatic Logout — Sessions expire after inactivity to prevent unauthorized access.

Administrative Safeguards

  • Workforce Training — All employees with access to systems handling PHI receive HIPAA awareness training.
  • Risk Assessment — Regular risk assessments are conducted to identify and mitigate potential threats to PHI.
  • Incident Response — Documented breach notification procedures in compliance with the HIPAA Breach Notification Rule.
  • Minimum Necessary — Access to PHI is limited to the minimum necessary to provide fax services.

Physical Safeguards

  • AWS Infrastructure — All data is stored in AWS data centers that maintain SOC 1/2/3, ISO 27001, and HIPAA compliance certifications. AWS has executed a BAA with FaxDash.
  • No Local Storage — PHI is not stored on local workstations or mobile devices beyond temporary processing. All persistent data resides in encrypted cloud storage.

Document Vault

FaxDash provides a secure document vault with configurable retention policies for storing sent and received faxes. The vault includes:

  • Immutable audit trail for all document access
  • Configurable retention policies (30 days to 7 years)
  • Soft delete with recovery period
  • Automatic purging after retention period expires

Fax Transmission Security

  • Telnyx — Fax transmissions are processed through Telnyx, a HIPAA-compliant telecommunications provider that maintains its own BAA.
  • Direct Delivery — Faxes are transmitted directly to the recipient's fax machine or fax service without intermediate storage on third-party servers.
  • Delivery Confirmation — Transmission reports confirm successful delivery with timestamps and page counts.

Data Retention

  • Sent fax documents are retained for up to 3 years
  • Received fax documents are retained for up to 3 years
  • Temporary processing data (scanned images) is automatically deleted after 90 days
  • Audit logs are retained indefinitely
  • Customers can request early deletion of their data at any time

Breach Notification

In the event of a breach of unsecured PHI, FaxDash will notify the affected covered entity without unreasonable delay and no later than 30 calendar days after discovery, in accordance with 45 CFR § 164.410. The notification will include:

  • A description of the breach and the types of PHI involved
  • Steps the covered entity should take to mitigate harm
  • A description of what FaxDash is doing to investigate and prevent future breaches
  • Contact information for further inquiries

Subprocessors

  • Amazon Web Services (AWS) — Cloud infrastructure, storage, and compute. BAA in place.
  • Telnyx — Fax transmission and phone number provisioning. HIPAA-compliant with BAA.
  • OpenAI — AI document analysis (opt-in feature). PHI processing is governed by OpenAI's data processing terms. Users can disable AI analysis in settings.

Contact

For questions about our HIPAA compliance program, to request a BAA, or to report a security concern: