Postal.io is an experience marketing platform that allows organizations to use direct mail automation to send information, news, events, and more. Many healthcare organizations use such digital platforms to connect and communicate with employees, patients, and other healthcare providers. To do so, however, those within the healthcare industry need to work with HIPAA compliant platforms.
In the healthcare industry, sensitive protected health information (PHI) must be safeguarded under HIPAA. A major part of this compliance is working with vendors who will sign a business associate agreement (BAA) and ensure the security of PHI. Postal.io does not mention a BAA on its website and may not be HIPAA compliant.
Postal.io, founded in 2019 and headquartered in California, enables teams to use direct mail automation for offline engagement. It is an integrated sales and marketing platform that helps organizations create meaningful interactions outside the Internet. Postal.io generates memorable moments between organizations and customers and builds brand value to generate leads and customers.
HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to these covered entities' business associates (i.e., vendors). These entities perform certain functions or activities on behalf of the covered entity.
A BAA is a written contract between a covered entity and a business associate. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:
The agreement is required by law for HIPAA compliance and is considered the primary item to consider when it comes to Postal.io and its ability to be HIPAA compliant. Postal.io is a business associate of a healthcare organization if it accesses any PHI, like a name or mailing address.
Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. As of January 2024, there is still no mention of HIPAA or a BAA on the Postal.io website.
RELATED: How to know if you're a business associate
The HIPAA Privacy Rule defines marketing as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” HIPAA compliance for marketing concerns the safe storage and transmission of sensitive information. Moreover, covered entities and business associates must have written consent from patients to share and disclose PHI.
Postal.io has not updated its privacy policy about what it does with user and end-user information. Within the policy, the company still states that it may use and disclose information it has access to. This includes customer information that it might send to affiliates and third-party vendors such as hosting services, cloud services, and other information technology services.
The policy further asserts that customers use the company’s services “at their own risk” and that while they have cybersecurity features implemented, it is “not responsible for circumvention of any privacy settings or security measures contained on the Service, or third party websites.”
LEARN MORE: HIPAA compliant email marketing: What you need to know
The BAA is a necessary component of HIPAA compliance and Postal.io still does not mention a BAA on its website. Moreover, the company will not guarantee the protection of any user or customer information.
Conclusion: Postal.io may not be HIPAA compliant.
Healthcare providers know that clear and efficient communication with patients is necessary to run a successful practice. When evaluating a platform’s HIPAA compliance, especially on the cloud, consider the following security needs beyond a BAA: