Building a HIPAA-Compliant AI Agent: Fax, PHI, and What You Need to Know

Why Healthcare AI Agents Hit Fax Sooner Than You Expect

You can build a perfectly capable AI agent that reads patient notes, identifies prior authorization requirements, and prepares the right form. Then it needs to submit that form to an insurance company. The insurance company still accepts fax only. This is not an edge case.

Over 70% of healthcare communication still moves via fax. Insurance payers, specialist offices, pharmacies, and government agencies have not moved off it. Building a healthcare AI agent that cannot fax is like building a car that cannot make left turns.

The good news: adding fax to an AI agent is straightforward with the right API. The compliance part takes more thought.

What HIPAA Actually Requires for AI Agents

HIPAA does not have a special category for AI. If your agent handles protected health information (PHI), it is a business associate under HIPAA. The same rules that apply to a human employee or a third-party vendor apply to your agent and every service it calls.

That means every external service your agent uses to process or transmit PHI needs a signed Business Associate Agreement (BAA). Your fax API provider, your storage layer, your LLM provider if you are passing clinical data through it. All of them.

The core requirements are audit trails (log what your agent sent, when, and to whom), minimum necessary access (the agent should only see the PHI it needs for the task), and breach notification procedures. None of this is specific to AI; HIPAA treats the data, not the technology.

The BAA Problem with Fax APIs

Most fax API providers do not offer a BAA. Twilio deprecated its Fax API in 2021. Many remaining providers are priced for high-volume enterprise accounts, not developer workflows. Finding a fax API that will actually sign a BAA at a reasonable price is harder than it should be.

FaxDrop is built on Sinch infrastructure, which provides HIPAA-covered services with BAA availability. When you use FaxDrop to send faxes programmatically from your AI agent, you are transmitting through infrastructure that supports BAA coverage for healthcare use cases.

The other piece: fax transmission itself has a long track record in HIPAA compliance. The HHS guidance on electronic PHI explicitly recognizes fax as an acceptable transmission method with appropriate safeguards. Healthcare institutions trust it for exactly that reason.

How to Add Fax to Your AI Agent with the FaxDrop API

The FaxDrop API is a single REST endpoint. Your agent sends a multipart POST request with the recipient fax number and a document file (PDF works best). The API returns a fax ID, and you can poll for delivery status or register a webhook to receive status updates.

For an MCP-compatible workflow, you can expose this as a send_fax tool. The tool accepts to (recipient fax number) and file_url (URL or base64 of the document). The agent calls the tool, the tool calls the API, and the fax goes out. The agent gets delivery confirmation back.

Cover page generation is handled automatically or can be configured per request. For healthcare workflows, include the standard HIPAA confidentiality notice on every cover page. See the HIPAA fax cover page guide for what to include.

What to Log and Why

HIPAA requires that you maintain audit logs of PHI access and transmission. For a fax-sending AI agent, that means logging at minimum: the timestamp, the recipient fax number, the type of document sent (not the contents), the agent action that triggered the send, and the delivery confirmation.

Do not log the full document contents in your application logs. Log the metadata. Store the document itself in encrypted storage with access controls. If you are using a vector store or document retrieval layer, make sure it is also BAA-covered.

FaxDrop provides delivery confirmation in the API response and via webhook. That confirmation record is useful audit evidence: you sent this document, to this number, and it was delivered at this time. Keep it.

LLMs and PHI: The Part Most Developers Miss

If your agent uses an LLM to process clinical notes or generate prior auth requests, you are passing PHI to an external model provider. That provider needs a BAA too. Most consumer-tier LLM APIs do not offer one.

The practical options: use a model provider that offers HIPAA-covered services (Azure OpenAI, AWS Bedrock, Google Vertex AI all offer BAA coverage for enterprise tiers), run a model on your own infrastructure, or strip PHI before it reaches the model and reinsert it into the output. The last option is architecturally complex and error-prone.

The fax layer is the easier part of this problem. The model layer is where most healthcare AI compliance efforts stall. Plan for it early.

Quick Checklist Before You Deploy

• BAA signed with every vendor that touches PHI (fax API, LLM provider, storage, logging)
• Audit logs recording what was sent, when, and to whom (not document contents)
• HIPAA fax cover page included on every outbound transmission
• Minimum necessary access: the agent only sees data it needs for the current task
• Breach notification procedure documented and tested
• Encryption in transit and at rest for all PHI storage
• Employee training updated to include AI agent workflows (yes, this is required)

For the full technical spec on the FaxDrop fax API, including authentication, error handling, and webhook setup, see the Fax API Guide and the developer documentation.