BAAs Aren’t Necessary for the U.S. Postal Service
BAAs (business associate agreements) are standard practice when healthcare organizations work with vendors privy to PHI (protected healthcare information). While you’ll need your transactional print and mail provider to sign one, they aren’t necessary for the USPS. The law treats them as a conduit transporting information, but they don’t access it.
How to Mail
HIPAA rules state that you must send PHI-related documents through First Class postal mail. In some situations, you must use certified mail, and the recipient must sign for it. When sending it certified, it’s trackable, as well. You should never use standard mail.
HIPAA Notice Revisions
Providers or other covered entities do not have to mail out revised HIPAA notices to patients. Rather, they must provide this to patients when they receive care or services.
USPS HIPAA Compliant Mail Regarding Medical Conditions
Often mailings from providers or insurers include information about a person’s medical conditions. If so, these parties must ensure reasonable safeguards so as not to reveal this. As such, these mailings arrive via a sealed envelope. However, it can’t be just any envelope.
In 2017, an insurer sent communications to members regarding a change in pharmacy benefits and disclosed their condition. Unfortunately, they used a window envelope, so the information was visible. The OCR (Office for Civil Rights), which enforces HIPAA, found that reasonable safeguards were not in place to prevent PHI disclosure. The company settled the HIPAA violation case the following year.
Appointment and Prescription Refill Reminder Mailings
Providers may mail these reminders to patients as a postcard if there is no PHI. Should a person request confidentiality of these mailings, they must use a closed envelope to accommodate this.
Outsourcing HIPAA Compliant Mail and Remain Compliant
With such specific procedures required by HIPAA, many healthcare organizations struggle with the volume and the processes. Some have automation in place but still lack all the checks and balances that protect them against noncompliance. Further, some aren’t aware that outsourcing patient mailings is perfectly legal.
You can outsource all the types of communications identified above. However, when selecting a print and mail provider, you’ll want to make sure they specialize in transactional mail.
Transactional mail providers only generate compliance-related documents. With that singular focus, their compliance protocols will be the most robust and stringent.
As a HIPAA compliant mail service provider and transactional printer, our standards include:
- The ability to monitor the status of every job from the time you provide the data to the to the time of delivery.
- Rigid data security processes: advanced firewalls, limited to access to only approved users, intrusion prevention systems, and encryption of data while in transit or at rest.
- Physical security to eliminate any unknown or unauthorized persons from the plant floor.
- Details and reporting for every letter should an audit occur.
- Advanced technology to ensure accuracy, consisting of printing barcodes on every sheet scanned with high-speed cameras to validate that each one is inserted into the correct envelope.
- A full-time Compliance Officer to monitor all compliance-related work.
- HITRUST certification, which takes security protocols beyond the rules of HIPAA.
With all these measures in place, you can have assurance that your print and mail HIPAA communications are secure, accurate, and compliant.
Have Questions About USPS HIPAA compliant and Patient Mailings?
We’re glad to provide answers regarding our processes, compliance certifications, and operations relating to our HIPAA compliant mail service. Our extensive experience in the healthcare industry drives our commitment to get every mailing right.
Contact us today to learn more.