Every time a patient record, lab result, or prescription moves between healthcare providers, it has to travel securely. Fax remains the backbone of that transfer in US healthcare, and the rules around how it works are strict. HIPAA requires that any system handling protected health information meets specific technical safeguards, and not every fax solution qualifies.
The question most healthcare IT teams face is whether a cloud fax service or a self-hosted open source fax server better meets their HIPAA obligations. The answer depends on how seriously you take data residency, audit logging, and long-term cost control.
ICTFax is an open source fax server built on T.38 and FOIP protocols. It gives healthcare organizations full control over where their PHI lives, how access is logged, and who can touch the system. This guide covers what HIPAA actually requires for fax, where open source wins, and how to set up a compliant installation.
What HIPAA Requires for Fax Transmission
HIPAA’s Security Rule (45 CFR 164.312) doesn’t specifically mention fax, but it requires covered entities to implement technical safeguards for any electronic PHI. For a fax server, that translates to several concrete requirements:
- Access controls: Only authorized users can send, receive, or view faxes containing PHI.
- Audit logs: Every fax transmission must be logged with timestamp, sender, recipient, and status.
- Encryption in transit: PHI transmitted electronically must be protected. T.38 fax over IP with TLS satisfies this for fax-over-IP.
- Data integrity: You must be able to verify that faxes haven’t been altered or destroyed improperly.
- Data residency: You must know exactly where PHI is stored and who has access to it.
That last point is where cloud fax services create risk. When you use a cloud fax provider, your PHI moves through their servers. You need a Business Associate Agreement (BAA), and you’re trusting their security practices. If they have a breach, you’re notified after the fact.
Why Self-Hosted Open Source Can Be More HIPAA-Compliant Than Cloud
Healthcare IT managers often assume cloud equals better security. That’s not always true. With a self-hosted open source fax server like ICTFax, you control every layer of the stack.
Your PHI never leaves your network unless you explicitly route it to an external recipient. You implement your own encryption standards. You define who has system access. You run your own audit trail in your own log management system. There’s no third-party to trust or to sign BAAs with — the data is yours entirely.
Cloud fax services are convenient, but they introduce a third party into your PHI chain. That third party needs to be audited, needs to sign a BAA, and is a potential breach point. Self-hosted removes that layer entirely. Read more about ICTFax’s approach to open source faxing on the FOIP overview page.
ICTFax HIPAA-Relevant Features
ICTFax isn’t marketed specifically as a HIPAA fax server, but it has the technical building blocks that a compliant implementation requires:
- T.38 protocol support: T.38 is the fax-over-IP standard that provides error correction and works over encrypted SIP trunks with TLS/SRTP. This satisfies the encryption-in-transit requirement when configured correctly.
- Detailed transmission logs: Every outbound and inbound fax is logged with timestamps, status codes, and sender/recipient data.
- Role-based access control: ICTFax supports multiple user roles, so you can restrict who can view, send, or administer faxes.
- Multi-tenant architecture: If you’re a healthcare MSP or large health system, you can isolate different departments or facilities in separate tenant accounts.
- Self-hosted data control: You choose where the server runs, who can SSH in, and how backups are handled.
See the full feature list on the ICTFax features page.
Setting Up a HIPAA-Compliant ICTFax Installation on Ubuntu
A compliant setup involves several layers beyond just installing the software. Here’s the high-level architecture:
Server hardening: Run ICTFax on a dedicated Ubuntu 22.04 LTS server. Disable root SSH login, use key-based authentication only, enable UFW firewall to restrict ports (allow only SIP/5060, RTP/10000-20000, and your web admin port on specific IPs).
TLS for SIP: Configure your SIP trunk with TLS and SRTP. ICTFax supports TLS-enabled SIP providers. This encrypts the signaling and media, satisfying the encryption-in-transit requirement for T.38 fax calls.
HTTPS for the web interface: Put a reverse proxy (Nginx) in front of the ICTFax web interface with a Let’s Encrypt certificate. Never expose the admin interface on plain HTTP.
Log forwarding: Ship ICTFax transmission logs to a centralized log management system (ELK stack, Splunk, or even simple syslog-ng). Retain logs for at least 6 years per HIPAA requirements.
Encrypted storage: Use full-disk encryption (LUKS on Linux) for the storage volume where received faxes are saved. This protects PHI at rest.
Backup to encrypted storage: Regular encrypted backups of fax records to a separate encrypted storage location.
The ICTFax installation guide covers the base installation steps. HIPAA-specific hardening steps layer on top of that.
Healthcare Use Cases
Referral management: Physician offices send referral packets (demographics, insurance, clinical notes) to specialists via fax. ICTFax can automate inbound referral receipt and route faxes to the right department or EMR workflow.
Lab results: Labs still fax results to ordering physicians. ICTFax can receive, log, and archive these automatically with timestamp and sender information preserved.
Prescription transmission: While e-prescribing has grown, controlled substance prescriptions in some states still require fax to the pharmacy. ICTFax supports this workflow with full audit logging.
Prior authorization: Insurance companies still rely heavily on fax for prior auth requests. ICTFax handles both outbound (sending requests) and inbound (receiving approvals) in the same platform.
Learn more about ICTFax’s email-to-fax and fax-to-email capabilities at the fax services overview.
HIPAA Fax Compliance Checklist
Use this as a starting framework for your compliance review:
- [ ] TLS/SRTP enabled on all SIP trunks carrying PHI
- [ ] HTTPS enforced on web admin interface
- [ ] Full-disk encryption on fax storage volumes
- [ ] Role-based access control configured; admin access reviewed quarterly
- [ ] Transmission logs retained for 6 years minimum
- [ ] Log forwarding to centralized, tamper-evident log store
- [ ] Server hardened (SSH keys only, firewall rules, no unnecessary services)
- [ ] Regular security patches applied (subscribe to Ubuntu security advisories)
- [ ] Incident response plan includes fax server breach scenarios
- [ ] Risk analysis documents fax server as PHI system
Frequently Asked Questions
Is ICTFax HIPAA certified?
HIPAA compliance is the responsibility of the covered entity, not the software vendor. ICTFax provides the technical tools you need — TLS support, audit logs, access controls — but HIPAA compliance depends on how you configure and operate the system. No software is inherently “HIPAA certified.”
Do I need a BAA with ICTFax?
If you self-host ICTFax on your own infrastructure, you don’t need a BAA with ICT Innovations because they don’t handle your PHI. If ICT Innovations provides hosting services, a BAA would be appropriate.
Can ICTFax receive faxes from legacy PSTN fax machines?
Yes. ICTFax connects to fax-enabled SIP trunks that bridge PSTN fax calls to T.38. Your SIP provider handles the PSTN gateway. Check the T.38 protocol page for technical details.
How do I handle faxes received outside business hours?
ICTFax stores all inbound faxes digitally with timestamps. You can configure email notifications for inbound faxes so staff can act on urgent items even when not logged into the web interface.
What’s the difference between ICTFax and eFax or RingCentral Fax?
eFax and RingCentral are cloud fax services where your PHI passes through their infrastructure. ICTFax is self-hosted — your fax data stays entirely within your infrastructure. Self-hosted generally gives you stronger data residency guarantees and eliminates the need for a third-party BAA.
Is T.38 required for HIPAA compliance?
HIPAA requires encryption of PHI in transit, but doesn’t mandate specific protocols. T.38 over TLS-encrypted SIP is the most common approach for compliant fax-over-IP. Standard G.711 fax (sending fax audio over a voice call) doesn’t provide the same level of error correction or encryption support.
Ready to Set Up Your HIPAA Compliant Fax Server?
Open source gives healthcare organizations real control over their PHI in ways that cloud fax services simply can’t match. ICTFax is free to download, install, and use on your own infrastructure.
Start with the ICTFax download page to get the latest version, or visit ICTFax.org to learn more about the platform’s full capabilities.