This site provides independent HIPAA compliance cost estimates for informational purposes only. We are not affiliated with HHS, OCR, or any compliance vendor. This is not legal or regulatory advice. Consult a qualified HIPAA compliance professional for guidance specific to your organization.
HIPAA Compliant Fax and Patient SMS Cost in 2026
HIPAA-compliant fax remains a durable healthcare workflow despite the EHR transition because fax is still the lowest-common-denominator interoperability channel across the ambulatory ecosystem. Patient SMS is the post-portal patient-communication channel of choice and continues to grow. This page covers per-vendor pricing for fax services (Sfax, eFax Corporate, Concord, MyFax, SRFax) and for patient-engagement and SMS platforms (Klara, OhMD, Rhinogram, Spruce Health, TigerConnect for provider-to-provider).
HIPAA Fax Per Line/mo
$20 - $120
Plus per-page overage
Patient SMS Per Provider/mo
$5 - $25
Bundled message allowance
Provider Secure Messaging
$10 - $30/user/mo
TigerConnect, OnPage, Backline
HIPAA-compliant fax vendor pricing
The dominant cloud-fax vendors with HIPAA BAA and their published or quoted pricing as of 2026:
Patient SMS sits at the intersection of two regulatory regimes: HIPAA (PHI in the message body) and the Telephone Consumer Protection Act (the patient must have consented to receive the message). The HIPAA-compliant SMS platforms handle both:
HIPAA side: the platform executes a BAA, encrypts the message in transit between the platform and the carrier, encrypts at rest in the platform's archive, supports audit logging under 45 CFR 164.312(b), and supports retention under 45 CFR 164.316(b)(2)(i).
TCPA side: the platform tracks the patient's consent (when collected, by what mechanism, with what scope), supports opt-out via the standard STOP keyword, maintains an opt-out registry, and prevents sending to patients who have opted out.
Practices building their own SMS workflow on a generic SMS gateway (Twilio, Bandwidth, Vonage) need to implement both layers themselves. The do-it-yourself approach is cheaper on the per-message cost ($0.0075 to $0.04 per SMS at the carrier level) but requires substantial engineering for the consent tracking and HIPAA-compliant archive. For practices without a dedicated engineering team, the HIPAA-compliant SMS platform is the more cost-effective path despite the higher per-message implied cost.
This is an informational cost reference, not legal or compliance advice. Consult a healthcare technology attorney about TCPA + HIPAA stack design for your practice.
HIPAA fax + SMS cost FAQ
Why is fax still so prevalent in healthcare?
Healthcare relies on fax for three interoperability reasons. First, fax pre-dates the EHR transition and remains the lowest-common-denominator interoperability channel across the ambulatory ecosystem; specialty practices, referrals, imaging orders, and prior-authorization requests routinely route via fax because not all parties have FHIR-API integration. Second, the 45 CFR 164.524 right of access workflow for patient-requested records often defaults to fax for medical-records release. Third, the workflow inertia is real: front-office staff have years of practice with the fax-first workflow, and migration to portal-first or API-first requires investment in process change. The result is that even modern healthcare practices in 2026 maintain meaningful fax volume, and HIPAA-compliant fax is therefore a durable budget line.
How much does HIPAA-compliant fax cost?
HIPAA-compliant fax service is priced per fax line and per page. Entry-level services like eFax Corporate, MyFax, and SRFax run $15 to $40 per line per month with included page allowance plus per-page overage. Mid-market services like Sfax and Concord run $40 to $120 per line per month with higher page allowances and additional features (faxing from EHR, structured-document parsing, audit logging). Enterprise services like Concord Now or Sfax Enterprise are quote-driven typically in the $200 to $1,500 per month range for multi-line deployments at hospital or large-practice scale. All HIPAA-compliant fax services include a BAA.
Does sending a fax over a regular phone line count as HIPAA-compliant?
Yes, generally. The Privacy Rule and Security Rule do not prohibit traditional analog fax transmission, and a fax sent across a phone line is not subject to the Security Rule transmission-security requirements that apply to electronic transmission, because traditional fax is not strictly ePHI in transit (the data is converted to audio tones for the transmission). However, fax misdirection (sending to the wrong number) is a recurring HIPAA incident type even on analog fax, and HHS OCR has resolved multiple cases involving misdirected fax. Most healthcare practices use IP-fax or cloud-fax services in 2026 because the workflow is better and the audit trail is stronger, both of which reduce the risk of misdirection.
How much does HIPAA-compliant patient SMS cost?
Patient SMS for healthcare splits into two pricing models. Pure-messaging vendors (TigerConnect, OhMD, Spruce Health, Klara) charge per-user per-month subscription, typically $5 to $25 per provider per month, with bundled message allowances. Per-message pricing services (often integrated with patient-engagement platforms like Solutionreach, Weave, Rhinogram) charge $0.05 to $0.20 per SMS plus a base platform fee. For a typical 25-clinician multispecialty practice with moderate patient-SMS volume (10,000 to 30,000 patient texts per month), the all-in cost runs $400 to $2,500 per month inclusive of the platform fee. All HIPAA-compliant SMS platforms include a BAA and address the TCPA opt-in requirements that apply to patient communication separately from HIPAA.
What is TCPA and how does it interact with HIPAA?
The Telephone Consumer Protection Act (TCPA) regulates the use of automated dialing and text messaging in commercial communication. Healthcare communication has certain exemptions under the TCPA for health-related messages (appointment reminders, prescription notices), but the exemption is narrow and the patient must have provided their phone number for healthcare purposes. The HIPAA-compliant SMS platforms handle the TCPA opt-in tracking and consent management as part of the platform; this is one reason the per-user pricing exceeds the cost of bare SMS gateway service (Twilio, Bandwidth) at the carrier level. Practices building their own SMS workflow on Twilio or Bandwidth must implement TCPA-compliant opt-in tracking separately, which adds workflow engineering cost.
What about HIPAA-compliant secure messaging between providers?
Provider-to-provider secure messaging (not patient-facing) is a separate category. TigerConnect, OnPage, Backline, Halo Communications, and Symphony OnCall are the dominant provider-secure-messaging platforms; typical pricing is $10 to $30 per user per month. These platforms support clinician messaging, on-call scheduling, escalation workflows, and EHR integration. The HIPAA-relevant features are message-level encryption, audit logging, message-recall capability, and automatic message expiration. A hospital or large group with 500 to 2,000 active clinician users typically spends $80,000 to $600,000 annually on the secure-messaging platform.
What were the most common fax-related HIPAA incidents?
Three recurring patterns. First, misdirected fax: a fax intended for a referring physician is sent to the wrong number, exposing PHI to an unrelated recipient. This pattern has driven multiple OCR settlements typically in the $50,000 to $300,000 range. The fix is automated confirmation of recipient before send, fax-number validation against the practice address book, and double-blind transmission for sensitive results. Second, leaving fax output unattended at the receiving end: PHI sits face-up in the receiving tray accessible to anyone walking by. The fix is receive-to-email or receive-to-portal workflow rather than physical printout. Third, cover-sheet PHI: practices print extensive cover-sheet detail (patient name, DOB, condition) that exposes PHI on the cover before the recipient even reads the body. The fix is minimum-necessary cover sheet design.