It never occurred to me that analog fax was still something used, but my kids’ optometrist asked me to fax in a copy of their insurance card. So I asked them if I could email it to them and they said that it would not be HIPAA compliant to do so to which I responded that I could send them an encrypted email – they were not amused. This interaction begged the question is HIPAA compliant analog fax possible. According to Frequently Asked Question (FAQ) section HHS.gov site:
Does the HIPAA Privacy Rule permit a doctor, laboratory, or other health care provider to share patient health information for treatment purposes by fax, e-mail, or over the phone?
Answer: Yes. The Privacy Rule allows covered health care providers to share protected health information for treatment purposes without patient authorization, as long as they use reasonable safeguards when doing so. These treatment communications may occur orally or in writing, by phone, fax, e-mail, or otherwise.
The Privacy Rule requires that covered health care providers apply reasonable safeguards when making these communications to protect the information from inappropriate use or disclosure. These safeguards may vary depending on the mode of communication used. For example, when faxing protected health information to a telephone number that is not regularly used, a reasonable safeguard may involve a provider first confirming the fax number with the intended recipient. Similarly, a covered entity may pre-program frequently used numbers directly into the fax machine to avoid misdirecting the information. When discussing patient health information orally with another provider in proximity of others, a doctor may be able to reasonably safeguard the information by lowering his or her voice.
So the short answer is a surprising yes they can do HIPAA compliant analog fax with a standard old facsimile machine with the numbers pre-programmed in. If they have moved on the digital fax technology then similar safeguards to email must be put in place for the storage and transmission of that data.