(coming soon) Enterprise customers on a HIPAA plan can send faxes directly from their email client - with full PHI compliance and no additional software required.
Overview
HIPAA email-to-fax is a dedicated, hardened workflow that lets authorised users send faxes by emailing a recipient fax number at a special domain. It is separate from standard email-to-fax and enforces compliance controls at the infrastructure level.
To use this feature, your organisation must have completed HIPAA onboarding, including activating Advanced Security Controls (ASC) - available within Enterprise accounts - and signing a Business Associate Agreement (BAA) with Fax.Plus.
Emails are sent to:
+1XXXXXXXXXX@tls.fax.plus
Two security tiers
Choose the tier that matches your organisation's compliance requirements. Both are HIPAA-compliant out of the box.
|
Tier 1 TLS enforced All email traffic is encrypted in transit using TLS. No additional setup beyond completing HIPAA onboarding. Works with any email client. 🔒 TLS encrypted✓ HIPAA compliant |
Tier 2 TLS + S/MIME Adds cryptographic sender verification on top of TLS. An admin uploads an S/MIME certificate once, and every email sent is digitally signed — proving who sent it. 🔒 TLS + S/MIME✓ Sender verified✓ Strongest posture |
Note: Tier 2 is recommended for organisations that require the strongest possible compliance posture or operate in high-audit environments.
How to get started
- Activate Advanced Security Controls (ASC) within your Enterprise account and sign the BAA with Fax.Plus.
- Confirm your plan is Enterprise with HIPAA mode enabled.
- For Tier 2 only: your admin uploads your organisation's S/MIME certificate in the Admin Console.
-
+1XXXXXXXXXX@tls.fax.plus, replacing the number with the destination fax number.
No new email client needed. This feature works with your existing email client. For S/MIME, your client must support digital signing — most enterprise email clients (Outlook, Apple Mail, Gmail via S/MIME add-on) do.
Setup — Tier 1 (TLS)
No setup is required beyond completing HIPAA compliance (ASC + BAA). Once both are in place, email-to-fax to @hipaa.fax.plus is automatically enabled with TLS enforcement.
Setup — Tier 2 (S/MIME)
Sign in to the Admin Fax.Plus account and go to Settings > Security > HIPAA.
- Locate the S/MIME Certificate section.
- If Advanced Security Controls (ASC) is not enabled or the Business Associate Agreement (BAA) has not been signed, the Upload button will be disabled.
- Hover over the tooltip to see which requirement is still missing.
- Once ASC is enabled and the BAA is signed, click Upload and select your S/MIME certificate file (.pem, .cer, .crt, or .p7s).
- Check your inbox for a confirmation email confirming that the certificate has been successfully uploaded.
- After confirmation, S/MIME verification is active for all emails sent through @tls.fax.plus for your organisation.
How it differs from standard email-to-fax
These are two separate features with different infrastructure, addresses, and compliance guarantees.
| Feature | Standard email-to-fax | HIPAA email-to-fax |
|---|---|---|
| Sending address | @fax.plus | @tls.fax.plus |
| Available on | All paid plans | Enterprise + HIPAA only |
| TLS enforced | No | Yes (Tier 1 & 2) |
| Sender verification | None | Cryptographic via S/MIME (Tier 2) |
| PHI compliant | No | Yes |
| BAA required | No | Yes |
Wrong address? If a HIPAA-enabled account sends to @fax.plus instead of @tls.fax.plus, the system automatically redirects the message to the HIPAA-compliant pipeline.
Frequently asked questions
Do I need to install anything?
No. HIPAA email-to-fax works with your existing email client. For S/MIME (Tier 2), your admin uploads a certificate once in the Admin Console — no per-user installation is required.
Who needs to sign the BAA?
Your organization must activate Advanced Security Controls (ASC) within your Enterprise account and sign the BAA with Fax.Plus before the feature is enabled. Contact your account manager to get started.
Can I use any email address to send?
Only email addresses added / provisioned as users within your HIPAA-enabled Fax.Plus account can send via this feature. Unauthorized senders are rejected at the infrastructure level.
What happens to faxes sent to the wrong domain?
HIPAA accounts attempting to send to @fax.plus are automatically redirected to the HIPAA pipeline. The separation is enforced at the infrastructure level — you cannot inadvertently send PHI through the non-compliant route.
What certificate formats are supported for S/MIME?
Fax.Plus accepts .pem, .cer, .crt, and .p7s certificate files.
What if my S/MIME certificate expires?
If your certificate expires, S/MIME signature verification will fail and faxes sent via Tier 2 will be rejected. Ensure your admin renews and re-uploads the certificate before the expiry date shown in Settings > Security > HIPAA.