HIPAA Compliance

Last updated: March 1, 2026

Our commitment: DDSFAX is built from the ground up to be HIPAA compliant. Every account, every fax, every feature — HIPAA is not an add-on or a premium tier. It's the baseline for everything we do.

Overview

The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. As a cloud fax service used by dental practices, DDSFAX processes, transmits, and stores Protected Health Information (PHI) and is classified as a Business Associate under HIPAA.

Administrative Safeguards

  • HIPAA Privacy & Security Officer: A designated officer oversees all HIPAA compliance activities
  • Workforce training: All team members with potential access to PHI receive annual HIPAA training and sign confidentiality agreements
  • Risk assessments: We conduct comprehensive risk assessments annually and after any significant system changes
  • Policies & procedures: Written policies covering data handling, access management, incident response, and breach notification
  • Business Associate Agreements: Executed with all subcontractors who may access PHI (Telnyx, infrastructure providers)
  • Sanction policy: Documented procedures for workforce members who violate HIPAA policies

Technical Safeguards

Encryption

  • In transit: All data transmitted to and from DDSFAX is encrypted using TLS 1.2 or higher. Fax transmissions over the Telnyx network use T.38 protocol with encrypted SIP signaling.
  • At rest: All stored data — including fax documents, metadata, and user information — is encrypted using AES-256 encryption
  • Key management: Encryption keys are managed using industry-standard key management practices with regular rotation

Access Controls

  • Unique user identification: Every user has a unique account with individual credentials
  • Role-based access: System access is restricted based on role and minimum necessary principle
  • Automatic session timeout: Sessions expire after periods of inactivity
  • Multi-factor authentication: Required for all administrative and infrastructure access

Audit Controls

  • Comprehensive logging: All access to PHI is logged with timestamp, user identity, and action performed
  • Log retention: Audit logs are retained for a minimum of 7 years per HIPAA requirements
  • Monitoring: Automated monitoring and alerting for suspicious access patterns
  • Log integrity: Audit logs are stored in append-only storage to prevent tampering

Transmission Security

  • Carrier-grade network: Faxes are transmitted over Telnyx's private IP network, not the public internet
  • Delivery confirmation: Every fax transmission includes delivery verification with timestamps
  • Error handling: Failed transmissions are retried automatically with detailed error reporting

Physical Safeguards

  • Data center security: All data is hosted in SOC 2 Type II certified data centers with 24/7 physical security, biometric access controls, and video surveillance
  • Redundancy: Data is replicated across geographically separated facilities for disaster recovery
  • Media disposal: All storage media is securely wiped or destroyed when decommissioned following NIST 800-88 guidelines

Breach Notification

In the event of a breach of unsecured PHI, DDSFAX will:

  1. Notify affected covered entities without unreasonable delay and no later than 60 days after discovery
  2. Provide breach details including the nature of the PHI involved, steps individuals should take, what we are doing to investigate and mitigate, and contact information for further questions
  3. Cooperate fully with covered entities in their breach notification obligations to individuals and the HHS
  4. Document all breach incidents and remediation actions

Business Associate Agreement

DDSFAX executes a Business Associate Agreement (BAA) with every customer. The BAA establishes the permitted uses and disclosures of PHI, our security obligations, and breach notification procedures.

View our standard BAA or contact us at hipaa@ddsfax.com to request a copy or discuss custom BAA requirements.

Subcontractors

DDSFAX maintains BAAs with all subcontractors who may have access to PHI:

  • Telnyx — Fax transmission carrier. Telnyx is HIPAA compliant and maintains their own comprehensive security program.

Your Responsibilities

As a Covered Entity using DDSFAX, you are responsible for:

  • Ensuring your use of DDSFAX complies with your own HIPAA policies
  • Securing access credentials for your DDSFAX account
  • Training your staff on proper handling of PHI when using the Service
  • Reporting any suspected security incidents to us promptly
  • Executing a BAA with DDSFAX before transmitting PHI

Contact Our HIPAA Privacy Officer

For HIPAA-related questions, concerns, or to report a security incident: