3 min read
Postal.io is an experience marketing platform that allows organizations to use direct mail automation to send information, news, events, and more. Many healthcare organizations use such digital platforms to connect and communicate with employees, patients, and other healthcare providers. To do so, however, those within the healthcare industry need to work with HIPAA compliant platforms.
In the healthcare industry, sensitive protected health information (PHI) must be safeguarded under HIPAA. A major part of this compliance is working with vendors who will sign a business associate agreement (BAA) and ensure the security of PHI. Postal.io does not mention a BAA on its website and may not be HIPAA compliant.
What is Postal.io?
Postal.io, founded in 2019 and headquartered in California, enables teams to use direct mail automation for offline engagement. It is an integrated sales and marketing platform that helps organizations create meaningful interactions outside the Internet. Postal.io generates memorable moments between organizations and customers and builds brand value to generate leads and customers.
Is Postal.io considered a business associate?
HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to these covered entities' business associates (i.e., vendors). These entities perform certain functions or activities on behalf of the covered entity.
A BAA is a written contract between a covered entity and a business associate. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:
- Permitted uses and disclosures of PHI
- Safeguards for protecting PHI
- Reporting and mitigation of security incidents
- Compliance with HIPAA regulations
- Dispute resolution and termination clauses
The agreement is required by law for HIPAA compliance and is considered the primary item to consider when it comes to Postal.io and its ability to be HIPAA compliant. Postal.io is a business associate of a healthcare organization if it accesses any PHI, like a name or mailing address.
Postal.io and the BAA
Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. As of January 2024, there is still no mention of HIPAA or a BAA on the Postal.io website.
RELATED: How to know if you're a business associate
Postal.io, HIPAA marketing, and data security
The HIPAA Privacy Rule defines marketing as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” HIPAA compliance for marketing concerns the safe storage and transmission of sensitive information. Moreover, covered entities and business associates must have written consent from patients to share and disclose PHI.
Postal.io has not updated its privacy policy about what it does with user and end-user information. Within the policy, the company still states that it may use and disclose information it has access to. This includes customer information that it might send to affiliates and third-party vendors such as hosting services, cloud services, and other information technology services.
The policy further asserts that customers use the company’s services “at their own risk” and that while they have cybersecurity features implemented, it is “not responsible for circumvention of any privacy settings or security measures contained on the Service, or third party websites.”
LEARN MORE: HIPAA compliant email marketing: What you need to know
Is Postal.io HIPAA compliant?
The BAA is a necessary component of HIPAA compliance and Postal.io still does not mention a BAA on its website. Moreover, the company will not guarantee the protection of any user or customer information.
Conclusion: Postal.io may not be HIPAA compliant.
Understanding HIPAA compliance
Healthcare providers know that clear and efficient communication with patients is necessary to run a successful practice. When evaluating a platform’s HIPAA compliance, especially on the cloud, consider the following security needs beyond a BAA:
- Technical safeguards: Mitigate risks associated with cyber threats, hacking, malware, and other security incidents with strong technical safeguards. Such tools as perimeter defenses (e.g., firewalls) and HIPAA compliant email are equally vital for extra protection.
- Employee training: Ensure all staff members have up-to-date knowledge of HIPAA regulations and best practices. Regular training sessions can help prevent unintentional, employee-related breaches.
- Regular audits: Perform periodic assessments of all systems and processes to ensure that they remain compliant. Adapt to any changes in regulations or technology.
- Data access controls: Implement stringent controls, such as multifactor authentication, on who can access PHI and under what circumstances.
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.