Compliant by Design, Secure by Protocol

Compliance That Starts at the Architecture Level

Most fax compliance conversations begin with certifications and end with a list of controls. With T38Fax, it’s worth starting one level deeper — with how T.38 actually works — because it changes the shape of every compliance question that follows.

T.38 is a real-time fax transmission protocol. When your equipment sends a fax over T38Fax, the data travels through our network in real time and terminates at the destination. We don’t store fax content on our servers. We don’t buffer it, index it, or retain it. There is no database of transmitted documents on our end, because the protocol doesn’t create one. The fax passes through and it’s gone — the same way a phone call works on a traditional POTS line.

This isn’t a policy decision. It’s a consequence of how the protocol operates. And it has direct, meaningful implications for HIPAA, for data security, and for the compliance posture of any organization that handles sensitive documents over fax.

T38Fax Compliance at a Glance

Fax Content Never Stored in Transit

T38Fax is HIPAA compliant. The key to understanding our compliance posture is understanding how T.38 actually works: fax data travels through our network in real time and terminates at the destination. We transmit it — we don’t store it, access it, or retain copies of it. There is no database of your transmitted fax documents on our infrastructure.

This is a meaningful structural advantage compared to store-and-forward fax services, where documents containing Protected Health Information sit in a vendor’s database and must be secured, audited, and defended as a standing compliance obligation. With T38Fax, the document is gone as soon as it’s delivered.

If your compliance team requires written confirmation of our HIPAA posture or supporting documentation, contact our sales team and we can provide materials for your records.

HIPAA-Compliant Faxing: How It Actually Works

The shorthand version of HIPAA compliance for fax — “we have a BAA, we’re good” — does real damage to the conversation. A Business Associate Agreement is necessary, but it is not sufficient. What actually makes fax over IP HIPAA compliant is a combination of how the protocol moves data, what the provider does with it, and what the provider can prove about its security controls. Here is what that looks like in practice.

HIPAA Compliance Is About How the Service Is Built, Not Just What It’s Called

Many fax providers describe themselves as HIPAA compliant on the strength of a signed BAA alone. The BAA is a contract — it states that the provider acknowledges its responsibilities under HIPAA when handling PHI. It does not, by itself, prove the provider has implemented the controls those responsibilities require.

At T38Fax, the contract sits on top of an architecture designed to make compliance demonstrable. T.38 is a real-time pass-through protocol. Faxes traverse our network as they happen and are not written to persistent storage. Our SOC 2 certified environment documents the access controls, change management, and monitoring practices that protect the network carrying that traffic. The BAA confirms our HIPAA obligations in writing; the architecture confirms we can meet them.

The Three Things That Make a Fax Service HIPAA Compliant

A genuinely HIPAA-compliant fax service has three properties. First, it controls what happens to the fax content. Whether through store-and-forward with encrypted storage or — in T38Fax’s case — real-time transmission with no storage at all, the provider must be able to describe precisely what it does with PHI and why. Second, it has independently audited security controls covering access, change, and incident response. SOC 2 certification is the most common form of evidence. Third, it will sign a BAA without making it a billable event or a sales-tier gate. Healthcare organizations that handle PHI need a BAA from every vendor in the chain, and a provider that hesitates to sign one is telling you something about its compliance maturity.

T38Fax meets all three: no fax content stored in transit, SOC 2 certification covering the environment, and a BAA available on request to any customer transmitting PHI.

Encrypted Fax Is Not the Same as HIPAA-Compliant Fax

This distinction is the source of considerable marketing-driven confusion. Encryption is a technical control that protects data in transit or at rest. HIPAA compliance is a regulatory framework covering how an organization handles PHI across its entire lifecycle. A service can offer end-to-end encryption and still not be HIPAA compliant if it lacks the surrounding controls. Conversely, a service that handles PHI correctly without point-to-point encryption can still meet HIPAA’s requirements if the transport satisfies HIPAA’s transmission security standard another way.

T38Fax offers both. The default transport — SIP and UDPTL over the public internet — meets the HIPAA transmission security standard when paired with our network controls and the real-time nature of the protocol. For organizations whose internal security policy requires encrypted transport regardless, we provide IPSec VPN tunnels at no additional charge. Either configuration is HIPAA compliant.

Independently Audited Security Controls

T38Fax is SOC 2 certified. SOC 2 is an independent audit of a service provider’s security controls conducted by a third-party CPA firm, confirming that our security controls are designed correctly to meet the Trust Services Criteria. SOC 2 certification is increasingly a baseline requirement for vendor approval in enterprise and regulated-industry environments.

Our security posture and certification status are published on our trust page at t38fax-incorporated.trust.site. For organizations that require the full SOC 2 report for vendor approval purposes, contact our sales team — we share the report with prospective customers under standard confidentiality terms.

Encryption and Private Network Options

For organizations that require encrypted transport between their infrastructure and T38Fax, we offer two options that address different levels of requirement.

IPSec VPN tunnels are available at no additional charge. A VPN tunnel encrypts the SIP signaling and UDPTL media path between your network and our gateways, so fax traffic travels over an encrypted channel rather than over the public internet. This is the right option for most organizations with encryption requirements — it adds a meaningful layer of transport security without adding cost or significant configuration complexity.

Private dedicated circuits are available for environments with stricter network isolation requirements. If your security policy prohibits fax traffic from traversing the public internet under any circumstances — as is common in certain government, financial, and defense-adjacent environments — we can provision a private SD-WAN or direct circuit connection between your facility and our network. Additional monthly charges apply for this option; contact our sales team for details and lead times.

Direct Connections for Cloud-Hosted Fax Infrastructure

Organizations running fax servers or fax-capable infrastructure in cloud environments — AWS, Azure, and similar platforms — can connect to T38Fax directly without routing traffic through an on-premises network. Direct cloud interconnects are available for environments where standard SIP over the public internet does not meet your network policy requirements.

If your fax server runs in a hosted environment and you have specific connectivity requirements, contact our sales team to discuss your architecture. We’ve worked through a wide range of hosted configurations and can advise on the right connection model for your setup.

More on T38Fax