Fax Isn't Dead: How We Solved a HIPAA Document Delivery Problem Nobody Saw Coming

In healthcare, document delivery sounds simple. Until it isn't.

We recently worked with a medical client that had a clear requirement: all outbound documents containing PII or PHI had to flow through Box. Full stop. No exceptions. Box was their system of record, their compliance boundary, and the only platform covered under their existing BAAs. That constraint was non-negotiable, and honestly, it was the right call.

The original plan was clean: HubSpot triggers a workflow, Box Doc Gen generates the document, and it gets emailed to the recipient. Simple, auditable, HIPAA-friendly.

Then reality showed up.

The Problem: Box Was Blocked

A significant portion of the medical facilities this client works with had Box blocked at the firewall. That meant the generated document, sitting safely in Box exactly where compliance required it to be, couldn't actually reach the people who needed it. Email delivery via Box links was a dead end for these recipients.

We needed a second delivery path that didn't compromise the compliance posture. The answer was fax.

Fax is still very much alive in healthcare. Many facilities that have locked down cloud storage access have no restrictions on receiving faxes, and for regulatory purposes, fax has a well-understood compliance footprint. The challenge was building a fax path that kept Box as the source of truth and maintained the same HIPAA-grade controls.

The Solution: A Branching Workflow Built Around Box

Here's how the flow works:

In HubSpot, contacts and companies can be flagged as fax-preferred. When a document needs to go out, a manual step in the HubSpot workflow checks that flag. Fax-preferred recipients get routed down the new path. Everyone else continues through the standard Box Doc Gen and email flow unchanged.

For the fax path, we leveraged Box Automate, Box's newly generally available workflow automation platform, to detect when a document has been generated and flagged for fax delivery. Box Automate is designed to dynamically route work across AI agents, humans, and processes, and connects natively with Box-native capabilities like Box Doc Gen. In this case, we used it to fire an HTTP request to RingCentral's fax API the moment the document is ready, passing along the file and recipient context directly from Box. Box Support

A lightweight AWS Lambda function handles the middle layer, managing authentication, formatting the payload, and writing the delivery status back to Box as metadata once RingCentral confirms the fax was sent. The result is a fully auditable delivery record living inside Box, right alongside the document itself.

Why This Architecture Works for Healthcare

The key insight here is that Box never stops being the system of record. The document is generated in Box, stored in Box, transmitted from Box, and the delivery confirmation lives in Box. The fax path is just a different last-mile delivery mechanism, one that works even when the recipient's firewall won't cooperate.

Box Automate's workflow engine supports conditional branching and HTTP integrations, making it well-suited for routing decisions based on business logic like delivery preference. Pairing that with RingCentral's fax API, which is itself HIPAA-capable when configured correctly, gave us a compliant path that didn't require the recipient to have any cloud access at all.

On the HubSpot side, Box Connector's existing integration meant the trigger and routing logic could live in the same workflow as everything else. No bolt-on tools, no parallel systems to maintain.

The Bigger Picture

This project is a good example of what we're seeing more broadly in regulated industries: the compliance requirements are getting tighter at the same time the technical landscape is getting more fragmented. Some recipients are in the cloud. Some are behind strict firewalls. Some still rely on fax. A single delivery mechanism isn't going to cover all of them.

Box Automate's ability to extend workflows by connecting to third-party enterprise applications via HTTP opens up patterns like this one, where Box stays as the compliance anchor while external systems handle the last mile. We expect to apply similar approaches for clients in financial services, defense, and legal, where the same tension between strict data controls and real-world delivery realities comes up constantly.

If you're working through a similar challenge, strict data residency requirements, mixed recipient environments, or HIPAA workflows that need more than one delivery path, we'd love to talk.