by
Paperless Productivity
Protected health information (PHI) safeguards are evolving as health IT gradually shifts toward cloud services. Two major frameworks—HIPAA and FedRAMP—govern PHI handling in different and often complementary ways.
HIPAA is a broad statute that applies to all parties, both public and private, that handle protected health information. FedRAMP is specific to the security assessment of cloud computing services used by US federal agencies, many of which may handle PHI.
HIPAA, or the Health Insurance Portability and Accountability Act, is the foundational law on privacy and security of PHI in the United States. It applies to all healthcare providers, payers, and their associates (collectively known as “covered entities”). These include a multitude of third-party services—such as software vendors—that process, store, or transmit PHI on behalf of a provider or payer. HIPAA covers operational safeguards, audit procedures, training and assessment standards, and incident response and mitigation requirements. The Act outlines very few technical specifications, most of which can be found in its Security Rule.
In short, HIPAA is:
FedRAMP, or the Federal Risk and Authorization Management Program, is the US government’s standard for assessing, authorizing, and monitoring the security of cloud computing services. Generally, all federal agencies must choose cloud services with FedRAMP authorization (although there are several exceptions, including private cloud implementations for only a single agency). FedRAMP contains security benchmarks that are more prescriptive and comprehensive than HIPAA alone, covering hundreds of controls aligned with NIST (National Institute of Standards and Technology) guidelines.
FedRAMP is:
HIPAA and FedRAMP are complementary. They outline or imply some similar safeguards, including audit logs, encryption, and role-based access control. PHI generally falls under the FedRAMP High impact level, since a loss or breach at the cloud service provider is potentially catastrophic. In general, US agencies that handle PHI need cloud vendors that are both FedRAMP-authorized and willing to sign a HIPAA BAA.
Fax is a familiar, accessible workaround to lingering issues with EHR interoperability. In practice, however, it often creates as many problems as it solves. Analog transmission is inherently secure, but inputs and outputs can’t be tracked or audited. Setup is straightforward, but scaling is inefficient and expensive. Training requirements are almost non-existent, but so is access control.
Most large healthcare organizations have replaced (or started to replace) standalone fax machines with centralized fax servers that introduce auditability and governance, address key security risks, reduce labor, and nearly eliminate consumables.
OpenText Fax (formerly RightFax) is the long-time market leader in this space. It integrates with all widely used EMR and EHR applications, including Epic, Veradigm (Allscripts), Cerner, and many others. It also supports HIPAA compliance with technical and governance features that legacy solutions cannot offer:
However, the underlying telephony is an obstacle for organizations with limited IT resources or looming budget cuts. OpenText’s cloud fax telephony eliminates that overhead, making RightFax (and our fully managed Private Fax Cloud®) accessible to all medium to large healthcare entities.
Amid the federal government’s push for cloud adoption, OpenText is working toward FedRAMP authorization for its cloud fax solutions and the cloud telephony that enables them. Expected in 2026, this will mark a strategic opportunity for federal IT leaders balancing PHI security with renewed scrutiny over operating expenses and technology costs.
It will also add to the list of RightFax’s compliance credentials, which already includes JITC, SOC 2, and PCI DSS.
Many federal agencies handle PHI via fax. Fax server adoption supports operational and privacy needs, chief among which is HIPAA compliance. However, in government settings, fax servers and telephony are typically on-prem due to a limited selection of FedRAMP-authorized alternatives.
OpenText anticipates FedRAMP authorization for its cloud fax solutions in the first half of 2026. This will be a compelling option for agencies working at the intersection of HIPAA and federal cloud security requirements, with strained IT resources and capital budgets.
The Paperless Productivity® team has deployed dozens of large-scale RightFax solutions for public- and private-sector healthcare clients. If you’re guiding a federal agency through a transition in fax architecture, then we’re here to help you fulfill HIPAA requirements, understand RightFax’s FedRAMP roadmap, and support a broader strategy for PHI management. Reach out today to schedule a discussion with a senior solutions engineer.