HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI). We know the HIPAA industry is vast and that it is important to easily communicate while remaining HIPAA compliant.
SEE ALSO: HIPAA compliant email
This is especially true with the recent move toward remote working and the increase in cyberattacks against healthcare.
Today, we will determine if Postalytics is HIPAA compliant or not.
Postalytics is a direct mail automation software company based in Massachusetts. Customers can send, mail, and track direct mail through a nationwide network of printers. The idea is to program and control mail just like email.
RELATED: Social media and email marketing for healthcare: a virtuous circle
Moreover, the software can integrate with CRMs (customer relationship management) like HubSpot, Salesforce, and more to create personalized mailings and complement email and digital marketing.
SEE ALSO: How to make Salesforce emails HIPAA compliant
A major part of HIPAA compliance is ensuring a business associate will sign a business associate agreement (BAA). A business associate is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI. In this instance, Postalytics is a business associate of a healthcare organization if it accesses any electronic PHI (ePHI), like an address.
RELATED: Is a name PHI?
Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. There is no mention of a BAA on the Postalytics website. Additionally, the Service Agreement states that customers are
responsible for determining whether our Services are suitable for you to use in light of any regulations like HIPAA. . . . If your subject to regulations (like HIPAA) and you use our Service, then we won’t be liable if our Service doesn’t meet those requirements.
The HIPAA Privacy Rule defines marketing as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” HIPAA compliance for marketing concerns both stored and transmitted information.
RELATED: HIPAA definition of marketing explained
Within its Privacy Policy, Postalytics states that it may use and disclose the information it has access to, including customer information, contact lists, and physical addresses. This is probably why Postalytics’ Service Agreement adds that customers should not use the Service to collect, manage, or process sensitive information (e.g., PHI).
Furthermore, the agreement emphasizes that Postalytics uses third-party vendors and hosting partners and that data “may be transferred unencrypted and involve (a) transmissions over various networks; and (b) changes to conform and adapt to technical requirements of connecting networks or devices.”
The BAA is a key component of HIPAA compliance and Postalytics does not mention a BAA though it emphasizes that customers should not use its software for sensitive information, like PHI.
Conclusion Postalytics may not be HIPAA compliant.
Healthcare providers know that clear and efficient communication with patients is a key component of running their practice. Email marketing can be a compliment or replacement to direct mail marketing to promote your business.
Paubox Marketing sends healthcare marketing emails directly to your patients’ inboxes. This increases patient activation and keeps patients engaged with their healthcare treatment.
Paubox Marketing allows you to securely communicate with patients about:
SEE ALSO: Why Paubox Marketing is the best HIPAA email marketing solution available
Paubox is dedicated to providing the highest quality of security to healthcare providers. Our products are HITRUST CSF certified which means we have met key regulatory requirements and industry-defined requirements and are appropriately managing risk.