Guest Column | July 27, 2017

3 Ways T.38 Real-Time Fax Is HIPAA Compliant

Reliability, Business Continuity Drive Demand For Cloud Adoption

By Steve Dorsey, CEO, babyTEL

Faxing is still an approved way of transmitting sensitive data and, if you haven’t guessed it by now, is still widely used in healthcare. Despite what you think of it as a technology, faxing is reliable and something medical offices are comfortable using.

However, with the sunsetting of the Public Switched Telephone Network and in advancements in fax technology, many healthcare organizations are looking for modern solutions that meet regulations and user needs. Today they’re finding a winner with T38 Fax over IP, a HIPAA-compliant fax service that uses encryption for secure, real-time transmissions with page-by-page confirmation.

If you’re not already familiar with HIPAA, let’s take a look at the high-level basics as it relates to faxing.

  • HIPAA allows doctors and hospitals to fax a patient’s medical information.
  • HIPAA requires doctors have appropriate security safeguards in place when faxing.
  • HIPAA Privacy Rules do not prohibit a “covered entity” from faxing protected health information to doctors.
  • Faxes sent over T38 SIP Trunks use patented real-time encryption that is HIPAA approved.

HIPAA Requires Safeguarding PHI
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule is the national standard for protecting patients medical records personal health information. HIPAA ensures the security of protected health information (PHI) when it is transferred via any medium in any format. The HIPAA Privacy Rule does not prohibit a “covered entity” from faxing PHI, however healthcare providers are required to take appropriate security measures.

HIPAA Approved Real-Time Faxing For Healthcare
There are three areas healthcare fax solutions must meet in order to be HIPAA compliant:

  • Faxes sent over the internet can be automatically encrypted.
  • Faxes sent over T38 SIP trunks can take advantage of secure real-time transmission, not the unpredictable store-and-forward method.
  • Real-time faxing from Fax over IP gives you a page-by-page confirmation of the transmission.

The HIPAA Conduit Exemption
T38 SIP Trunks and T38 Fax Line services have a “HIPAA Conduit Exemption” and therefore do not require Business Associate status. T38 Fax and Fax Line do not require a Business Associate relationship as they are ‘real-time’ services with no data storage. The HIPAA conduit exemption describes this: “The conduit exception excludes only those entities providing mere courier services, and their electronic equivalents, such as mere data transmission services. A conduit transports information but does not access it.”

Fax Machines Valued For Privacy
It’s a challenge for individuals and businesses to maintain any semblance of privacy these days with easy access to information online. Protecting private information is critical for the success of any businesses, necessary for complying with regulations, and an absolute must to retain the trust of your customers.

Fax machines may be old technology, but the way in which data is transmitted is part of the reason why it’s still around. Thanks to Health Insurance Portability and Accountability Act (HIPAA) regulations for the healthcare industry and SOX and GLBA regulations for the finance industry, fax machines are valued for their privacy.

Overall, fax transmissions are more difficult for hackers to access as opposed to email and other online transactions. Faxing is a HIPAA-compliant way of sending and receiving sensitive patient information and in legal applications faxes can be a more efficient form of written communication because of the trouble and accuracy issues involved with gathering multiple email addresses.

Real Encryption, Not HTTPS
The ‘S’ in HTTPS stands for ‘secure.’ By its very nature HTTPS is a secure protocol for communication so, is it any better or worse than T.38?

HTTPS answered the need to send faxes securely from the fax server through the Internet at a time when customers were migrating telephony solutions from PSTN to IP and discovering that VoIP was not reliable for Internet fax.

Initially T.38 solutions did not offer encryption and had inherited VoIP’s reputation for poor Internet fax delivery success rates.  However, HTTPS faxes are temporarily stored at the provider level which may or may not be HIPAA or SOX compliant, if you’re a healthcare or legal organization. Faxes sent over T.38 SIP trunks are not stored, making them HIPAA and SOX compliant. This eliminates the possibility of an intruder altering or compromising the privacy of the content.

The combination of no data image storage and encryption enables full HIPAA compliance making encrypted T.38 IP fax services more secure than traditional dedicated fax lines.

About The Author
Steve Dorsey is the CEO of babyTEL ( in Montreal, Quebec. babyTEL provides VoIP home phone, business phone, SIP Trunking, mobile, and fax services through its Agent and Reseller network in over 7,000 locations in the U.S. and Canada with Social Network services available worldwide. Dorsey is credited with the development of the first screen-based programmable word processor and founder of Micom/Philips with annual sales that exceeded $200 million.