Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintfax.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

Your application handles patient health information and needs to fax it - lab results, prescriptions, insurance claims, referral letters. HIPAA requires a Business Associate Agreement with any service that stores or processes PHI on your behalf, and mintfax stores fax documents during processing. This guide walks through the setup: signing a BAA, choosing a retention mode, configuring cover pages, verifying webhooks, and testing the full flow in the sandbox before going live. For the full compliance reference (encryption details, audit log schema, conduit exception, compliance boundary), see HIPAA compliance. This page is the “do this” checklist.

Prerequisites

  • A mintfax account on a paid plan. Sandbox workspaces are not covered by a BAA because they do not process real PHI.
  • A sandbox API key (fx_test_...) for testing. See the quickstart if you need one.
  • A webhook endpoint that can receive HTTPS POST requests (for Step 4).

Step 1: Sign a BAA

Sign in to the mintfax dashboard, open the workspace where you will be sending PHI, and navigate to Compliance. Click Sign BAA to start the DocuSign e-signature flow. You will receive a countersigned copy by email within minutes. Key facts about the BAA:
  • Available on every paid plan at no extra cost. No enterprise tier, no sales call.
  • The agreement is the same template at every paid tier.
  • You can sign separate BAAs for separate workspaces if you operate multiple covered entities or environments.
  • Sandbox workspaces are not eligible. The sandbox is for testing document formats, API integration, and delivery flow - never for real PHI.
Do not send faxes containing PHI until your BAA is countersigned.

Step 2: Choose a retention mode

mintfax offers two retention modes, configured per workspace. Pick the one that fits your compliance posture.

Zero-footprint mode

Fax documents and metadata are deleted after the transaction reaches a terminal state (delivered, permanently failed, or canceled). A short retrieval window - measured in minutes - lets you pull the result via the API before cleanup runs. This is the strictest option and supports HIPAA’s minimum-necessary principle. Enable zero-footprint mode: 
curl -X PUT https://api.mintfax.com/v1/account/settings \
  -H "Authorization: Bearer fx_test_abc123def456" \
  -H "Content-Type: application/json" \
  -d '{"zero_footprint": true}'
Once zero-footprint is active:
  • GET /v1/fax/{id}/image returns 410 Gone after the fax completes.
  • POST /v1/fax/{id}/resend returns 410 Gone because the original document has been deleted.
  • GET /v1/fax/{id} returns only the fax ID, status, and timestamps - no content or PII.

Standard mode with custom retention

If your workflows require retrieving fax images after delivery (for audit, reprint, or patient portal display), use standard mode with a retention window. The default is 90 days. Set a shorter window to limit exposure: 
curl -X PUT https://api.mintfax.com/v1/account/settings \
  -H "Authorization: Bearer fx_test_abc123def456" \
  -H "Content-Type: application/json" \
  -d '{"zero_footprint": false, "retention_days": 30}'
In standard mode you can also delete a specific fax immediately, without waiting for the retention window: 
curl -X DELETE https://api.mintfax.com/v1/fax/9c1a2b3d-4e5f-6789-abcd-ef0123456789 \
  -H "Authorization: Bearer fx_test_abc123def456"
Changing the retention mode or retention period applies to new submissions only. Faxes already in the system follow the policy that was in effect when they were submitted.

Step 3: Use the HIPAA cover page

Faxes containing PHI should include a cover page with a confidentiality notice. The hipaa cover-page template prints the receiving number, sender company, page count, and a HIPAA confidentiality disclaimer - but omits patient-identifiable tokens like recipient_name and message from the rendered output. 
curl -X POST https://api.mintfax.com/v1/fax \
  -H "Authorization: Bearer fx_test_abc123def456" \
  -F "to=+15005550001" \
  -F "file=@lab-results.pdf" \
  -F "cover_page=hipaa" \
  -F "recipient_name=Dr. Patel" \
  -F "subject=Lab results"
The recipient_name and subject values are stored on the fax record for your own tracking, but they do not appear on the printed cover page. This keeps patient-identifiable information off the physical document that sits in a receiving fax tray. To make the HIPAA cover page the default for every fax in this workspace: 
curl -X PUT https://api.mintfax.com/v1/account/fax-settings \
  -H "Authorization: Bearer fx_test_abc123def456" \
  -H "Content-Type: application/json" \
  -d '{"cover_page": "hipaa"}'
See the cover pages guide for the full list of tokens and custom HTML templates.

Step 4: Verify webhook signatures

If your application receives webhook events from mintfax (delivery confirmations, failure notifications), you need to verify that each payload actually came from mintfax and has not been tampered with. This is especially important when the payload references PHI-related fax records. Every webhook request includes two headers:
HeaderValue
X-Mintfax-SignatureHex-encoded HMAC-SHA256 of {timestamp}.{raw_body}
X-Mintfax-TimestampUnix timestamp (seconds) when mintfax generated the payload
Verify every incoming webhook by computing the HMAC over {timestamp}.{raw_body} with your signing secret and comparing it to the signature header using a constant-time comparison. Reject requests older than five minutes. The webhook signing guide has complete verification code in five languages, plus key rotation handling.

Step 5: Test in the sandbox

Before sending real PHI through production, run through the full flow in the sandbox:
  1. Send a fax with the HIPAA cover page to +15005550001 (the sandbox success number). Confirm the response returns status: "queued".
curl -X POST https://api.mintfax.com/v1/fax \
  -H "Authorization: Bearer fx_test_abc123def456" \
  -F "to=+15005550001" \
  -F "file=@test-document.pdf" \
  -F "cover_page=hipaa" \
  -F "recipient_name=Test Recipient" \
  -F "subject=Integration test"
  1. Check the fax image with GET /v1/fax/{id}/image and confirm the cover page shows the confidentiality notice but not the recipient name or subject.
  2. Verify retention behavior. If you enabled zero-footprint mode, wait for the fax to reach a terminal state, then call GET /v1/fax/{id}/image. It should return 410 Gone.
  3. Confirm audit log entries. Open the dashboard, navigate to Audit Log, and verify that submission, status change, and delivery events appear for your test fax.
  4. Test webhook verification. Send a fax and confirm your webhook endpoint receives the event, verifies the signature, and rejects a replayed copy.
Never send real PHI through a sandbox workspace. Sandbox workspaces are not covered by a BAA and are not subject to the same retention and encryption controls as production workspaces. Use synthetic test documents for sandbox testing.

What you handle vs. what mintfax handles

ResponsibilityOwner
Signing the BAA before sending PHIYou
Choosing the right retention modeYou
Securing your webhook endpoints (TLS, auth)You
Not sending real PHI through sandboxYou
Your own HIPAA compliance programYou
Encryption at rest (AES-256 SSE-S3, DynamoDB, MySQL RDS)mintfax
Encryption in transit (TLS 1.2+, TLS 1.3 on customer-facing endpoints)mintfax
Webhook signing (HMAC-SHA256, per-endpoint secrets)mintfax
Immutable audit logging (exportable as JSON/CSV)mintfax
Document deletion per retention policymintfax
Cover-page rendering with PHI redactionmintfax
Outside the compliance boundary: upstream carriers, the analog PSTN leg, recipient fax machines, your webhook endpoints, and Stripe. The BAA states this boundary explicitly. See HIPAA compliance - compliance boundary for the full disclosure.

What to do next

  • HIPAA compliance - full compliance reference covering encryption, audit logging, the conduit exception, and compliance boundary.
  • Cover pages - template tokens, custom HTML, and the HIPAA variant in detail.
  • Webhook signing - verification code in five languages with replay protection and key rotation.
  • Data retention - standard vs. zero-footprint mode, what gets deleted vs. retained.