Aren't faxes unencrypted? Are we living in a world where tapping phone lines is impossible?

I wouldn't think that a Fax API provider would be exempt under the conduit exception of HIPAA/HITECH. You couldn't guarantee that the API vendor wasn't sniffing/storing/protecting data while transmitting the data between entities. You can read more about this exception here: http://www.hitechanswers.net/when-does-the-hipaa-conduit-exc...

You would facilitate that transfer by having both parties of business associates/covered entities entering a legally binding business associates agreement to outline how PHI would be protected.

Scrypt is a company that does faxing in the health tech space today and they sign BAAs and went through a HITRUST assessment.

EDIT:

So, maybe let me clarify what I mean about facilitating that transfer of data.

So, let's say there is:

Vendor ----> Health Care Provider

Even if you are sending data over TLS or some other encrypted protocol, the Vendor and the Health Care Provider need to have an agreement to protect patient data and which restrict what can be done with the PHI being transmitted. If you add a new party to this equation, like:

Vendor ----> Twilio ----> Health Care Provider

Even if you encrypt the data to Twilio and Twilio "promises" to not store the data and promises to encrypt the data when sending it down stream, promises aren't good enough in the eyes of HIPAA/HITECH. You need to have an agreement in place like a Business Associates Agreement in which all parties agree to protect PHI. You can read more about what these agreements commonly outline here: https://datica.com/academy/business-associate-agreements/

There are exceptions to this referred to as the "Conduit Exception" of HIPAA which were clarified in 2013. This doesn't really apply to API vendors or someone like cloudflare. It applies more to phone carriers, postal services and ISPs.

It's a complex topic, but I can keep jamming to discuss some of the nuances.

I can elaborate since I own a business that requires HIPAA compliance. The main issue is not transmission, it is storage. According to their documentation "We store a list of your sent and received faxes, along with the media, for 180 days". This line opens you up to the privacy/security rules of HIPAA since your health records are littered with protected health information (duh). These regulations are not unreasonable to comply with if you have done a lot of planning upfront, but if you have to change the technology culture of an organization you may run into a bunch of problems.

Now you have to store all of these faxes encrypted at rest, log who has accessed any of the files and why they needed access, always transmit over https, safeguards to ensure high availability, the list goes on and on. Surprisingly HIPAA/HITECH does not have an authority or a checklist by which you can guarantee compliance. That designation is solely determined by the covered entity or their business associates since the rules allow for a lot of leeway in implementation. Due to this ambiguity a lot of people will forego the healthcare field entirely which causes crazy prices for what I think are relatively simple services.

HIPAA compliance has nothing to do with encryption, and little to do a traditional tech sense of privacy/security. If you handle patient information, encrypted or otherwise, you are subject to compliance hurdles (with the exception of extremely-limited-scope entities treated as "conduits", but the policy does not distinguish between ciphertext and plaintext when it comes to PHI). Fax, email, SMS, etc are all (fairly explicitly) within the realm of things subject to BAA for compliance.

HIPAA (and a broad swath of other tech legislation) is not necessarily indicative of actual security. For example, HIPAA-compliant hospitals are currently seeing a rash of ransomware attacks; any meaningful definition of computer security would include defenses against these kinds of things. HIPAA is domain-specific policy with a poor understanding of the domain. That's (in no small part) a bilateral educational failure; technology makers don't understand policy and policy makers don't understand technology.

There are lots of ways to securely transmit data -- which is a large part of the problem, there are so many ways to do it that there's no standard way that you can count on all of your clients/customers having access to... or trusting.

But everyone trusts fax since it goes over "secure" voice lines.... even though in many cases it doesn't.