3 min read

Is Postal.io HIPAA compliant? (Update 2024)

Kapua Iao December 17, 2021

HIPAA Compliance HIPAA compliant software

Postal.io is an experience marketing platform that allows organizations to use direct mail automation to send information, news, events, and more. Many healthcare organizations use such digital platforms to connect and communicate with employees, patients, and other healthcare providers. To do so, however, those within the healthcare industry need to work with HIPAA compliant platforms.

In the healthcare industry, sensitive protected health information (PHI) must be safeguarded under HIPAA. A major part of this compliance is working with vendors who will sign a business associate agreement (BAA) and ensure the security of PHI. Postal.io does not mention a BAA on its website and may not be HIPAA compliant.

What is Postal.io?

Postal.io, founded in 2019 and headquartered in California, enables teams to use direct mail automation for offline engagement. It is an integrated sales and marketing platform that helps organizations create meaningful interactions outside the Internet. Postal.io generates memorable moments between organizations and customers and builds brand value to generate leads and customers.

Is Postal.io considered a business associate?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to these covered entities' business associates (i.e., vendors). These entities perform certain functions or activities on behalf of the covered entity.

A BAA is a written contract between a covered entity and a business associate. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:

Permitted uses and disclosures of PHI
Safeguards for protecting PHI
Reporting and mitigation of security incidents
Compliance with HIPAA regulations
Dispute resolution and termination clauses

The agreement is required by law for HIPAA compliance and is considered the primary item to consider when it comes to Postal.io and its ability to be HIPAA compliant. Postal.io is a business associate of a healthcare organization if it accesses any PHI, like a name or mailing address.

Postal.io and the BAA

Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. As of January 2024, there is still no mention of HIPAA or a BAA on the Postal.io website.

Postal.io, HIPAA marketing, and data security

The HIPAA Privacy Rule defines marketing as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” HIPAA compliance for marketing concerns the safe storage and transmission of sensitive information. Moreover, covered entities and business associates must have written consent from patients to share and disclose PHI.

Postal.io has not updated its privacy policy about what it does with user and end-user information. Within the policy, the company still states that it may use and disclose information it has access to. This includes customer information that it might send to affiliates and third-party vendors such as hosting services, cloud services, and other information technology services.

The policy further asserts that customers use the company’s services “at their own risk” and that while they have cybersecurity features implemented, it is “not responsible for circumvention of any privacy settings or security measures contained on the Service, or third party websites.”

LEARN MORE: HIPAA compliant email marketing: What you need to know