HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities (CEs) and their business associates (BAs) must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI). We know the HIPAA industry is vast and that sending important documents securely to other providers or to patients is fundamental to patient care. This is especially true with the recent digital transformation in healthcare and the current need to function more remotely.
RELATED: Historic Expansions of Telehealth to Combat COVID-19
Today, we will determine if GotFreeFax is HIPAA compliant or not.
Based in British Columbia, Canada, GotFreeFax is one of several online fax service providers that offer fax numbers for sending and receiving faxes through a web portal, by email, and/or even via mobile apps. GotFreeFax only offers users the ability to send (not receive) faxes through its web interface. Available plans are free (limited to recipients in the U.S. and Canada), premium, or business prepaid.
A BA is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI on behalf of a CE. In this instance, GotFreeFax is a BA for a healthcare organization if it transmits or stores PHI.
RELATED: Is a Name PHI?
Generally, the HIPAA Privacy Rule allows CEs to disclose PHI to a BA if they receive assurance that the information is protected through a signed business associate agreement (BAA). There is no mention of a BAA (or HIPAA) anywhere on GotFreeTax’s website.
Unfortunately, GotFreeFax does not specify its security protocols beyond gateway and database safeguards. The company affirms that it encrypts all paid faxes but not how.
PayPal handles all payment-related transactions, and the company does not process or access a client’s financial information. However, as we’ve stated in the past, PayPal is not HIPAA compliant.
RELATED: Guide to Online Payment Options & HIPAA Compliance
Furthermore, password security for paid business accounts is precarious; all that’s required is an account number (or email) and PIN. GotFreeFax does not ask for two-factor authentication. Finally, its Privacy Policy states that GotFreeFax collects user information, such as name, email address, and fax information, to:
The BAA is a key component of HIPAA compliance and GotFreeFax does not appear to offer a BAA. If a breach or HIPAA violation occurs, the CE is liable.
RELATED: Healthcare Data Breaches – A Haunting Reality
And ultimately, hidden security policies, weak password protection, and collected user information (i.e., PHI) must be concerning. Conclusion GotFreeFax is not HIPAA compliant.
Rather than waste time and energy with physical and electronic faxing, stick to sending and receiving important documents through HIPAA compliant email.
RELATED: Fax Machines Are Terrible for Healthcare – Here’s Why
Paubox will not only sign a BAA but will also work tirelessly to keep you safe without any added steps for the sender or recipient. With Paubox Email Suite, CEs have all outbound email (and file attachments) encrypted by default; users can send messages from existing email platforms (such as Microsoft 365 and Google Workspace). Emails are delivered directly to your recipients’ inboxes—no passwords or portals are required. When you need to send documents that contain PHI, HIPAA compliant email is the most secure method available.