Why Your Fax Provider's “Certified” Confirmation Won't Hold Up in an Audit

Your fax provider calls it “certified delivery.” Your auditor will call it a vendor's word against the world. Those are not the same thing.

When a healthcare organization, law firm, or government agency sends a critical fax, they receive a delivery confirmation — a PDF, a portal status, or an audit log entry. It looks official. It feels like proof.

It isn't.

When an OCR investigation, legal dispute, or regulatory audit demands evidence, the question is not “does this PDF say it was delivered?” The question is: can you prove it, independently of the vendor who sent it?

No major fax provider can answer yes to that question. Until now.

What “Certified Fax” Actually Means

Let's be precise about what you receive from a traditional fax provider after a “confirmed” delivery:

• A carrier callback — logged in the vendor's database, accessible only through the vendor's portal
• A PDF receipt — generated by the same vendor who sent the fax, with no independent timestamp
• An audit log — held on the vendor's servers, visible only while you're a paying subscriber

Every single piece of that proof requires you to trust the vendor. If they go down, get acquired, or have any incentive to alter a record, there is no independent check. The “certification” is the vendor certifying their own work.

Why This Matters for Healthcare

HIPAA's minimum necessary and accounting-of-disclosures requirements create a specific audit scenario: prove that this specific document was faxed to this specific recipient at this specific time.

OCR doesn't take vendor confirmation at face value during breach investigations. Courts have challenged receipts generated by the same system under investigation. The honor system the fax industry has relied on for thirty years is not built for this environment.

What the Software Security World Already Solved

The software supply-chain security community faced the same problem a decade ago. Their solution: cryptographic transparency logs — append-only public ledgers where entries cannot be altered or deleted by anyone after submission.

In 2013, Google introduced Certificate Transparency for TLS certificates. In 2021, the Linux Foundation launched Sigstore Rekor for software signatures. Today, Google, Red Hat, and the broader open-source community use these logs to prove authenticity without trusting any single vendor.

FaxSeal is the first company to apply this model to fax delivery.

How FaxSeal Fax Attestation Works

FaxSeal creates a two-event signed audit chain for every Enterprise fax:

Event 1 — At carrier handoff: A payload is signed using an EC private key and submitted to Sigstore Rekor. The resulting log entry is permanent and public. FaxSeal cannot edit or delete it.

Event 2 — At confirmed delivery: A second signed event records a SHA-256 hash of the delivered document, the delivery timestamp, and the Event 1 Rekor ID. Two events, linked, independently verifiable.

The result is a downloadable bundle any auditor can verify offline:

Is Logging to a Public Transparency Log HIPAA-Safe?

Rekor is public — so what about PHI? FaxSeal hashes all identifiers before public submission. Recipient fax numbers and sender emails are SHA-256 hashed. Document content is hashed. The hashes are one-way — they prove involvement without revealing identity.

The Bottom Line

The fax industry has had one trust model for thirty years: the vendor confirms it, the vendor logs it, the vendor holds the evidence. For most businesses this is fine. For healthcare, legal, and government use cases — where disputes and audits are expected, not exceptional — it isn't.

Cryptographic transparency logs already solved this for TLS certificates and software packages. FaxSeal brings that proof model to fax delivery — the first in the industry to do so.

The verification command is one line. The result either says “Verified OK” or it doesn't. No vendor in the loop.