Any organization sending healthcare-related information by mail to patients must adhere to HIPAA rules and regulations. HIPAA has specific rules about communications that include PHI (protected health information). Millions of letters or statements that fit into this category flow in the mail stream every day. But is USPS HIPAA compliant?
HIPAA Rules About Communications with PHI
The overriding guidance from HIPAA regarding PHI documents sent via mail focuses on “reasonable safeguards.” Organizations that produce them must have processes in place that protect information from breaches. Those requirements deal with the digital and physical aspects of mailings.
When healthcare organizations outsource HIPAA mailings, they must transmit the data to their partner. In these activities, the delivery of data must be in a secure environment to prevent any potential cyber breach.
On the physical side, print and mail companies should have rigid practices in place to ensure accuracy and security. Accuracy is critical in HIPAA communications because a mis-mailing could trigger a non-compliance citation.
The best way to boost accuracy is through the application of intelligent insertion. Sophisticated insert machines fold the correct number of pages into envelopes through 2D barcode scanning. Every sheet has a barcode that indicates the intended recipient.
The physical space must also have security provisions that limit unauthorized access. Further, any removal of documents with PHI must occur in a controlled space for shredding and final disposal.
These regulations focus on the preparation of the documents prior to injection into the mail stream. So, how does the USPS provide a compliant way to mail these communications?
USPS Is HIPPA-Compliant
HIPAA does permit patient communications via USPS. The types of documents you can send include:
- Patient statements
- EOBs (explanation of benefits)
- EOCs (explanation of coverage)
- Letters and notices
- At-home medical testing communications
In most cases, using First-Class mail is sufficient for HIPAA compliance. Other scenarios require the use of certified mail, depending on the content of the documents. Certified mail is something a transactional print and mail company can provide, which tracks the communication through delivery and requires the recipient’s signature.
HIPAA also does not require the USPS to have a BAA (business associate agreement). The rules label USPS as a conduit for transporting information. However, it would be necessary if you outsource this to another company.
Other HIPAA-Compliant USPS Rules
There are some additional points to note about HIPAA-mailed documents. Envelope usage is often something organizations are unsure about. These communications can use a sealed or window envelope.
If there is no PHI involved, postcard mailings could be acceptable to remind patients of upcoming appointments or the need to schedule one.
How to Evaluate USPS HIPAA-Compliant Print and Mail Service Providers
Even though many patients prefer to receive HIPAA communications via email, there are still high volumes that go through the mail. It can be a cumbersome process to remain compliant, keep costs down, and track delivery.
When considering if you should outsource this, you should evaluate providers by this criterion:
- Can you monitor the progress of a job from data transmission to letter delivery?
- Are theyHIPAA- and HITRUST-compliant?
- What practices and technology are in place for digital and physical security?
- Is there an audit trail should this be necessary for reporting or an investigation into non-compliance?
- How do they ensure accuracy through processes and technology? What’s their accuracy rating?
- Do they have a dedicated compliance team?
- Does the provider only produce transactional mail? If not, how are the operations separate?
If you’re considering an RFP, these would all be excellent questions to ask potential vendors. You’re looking for a partner that solely focuses on transactional print, leverages the latest technology, and prioritizes accuracy.
You’ll find that PCI Group meets and exceeds all these criteria. Our HIPAA-compliant mailing services deliver millions of communications every year. Learn why so many healthcare organizations trust us by requesting a consultation.