Remote Operations

HIPAA rules for mailing PHI: A guide to protecting patient privacy

May 30, 2024
Minh Mai

If you send or receive protected health information (PHI), you’re subject to certain regulations and requirements. 

Due to constant changes to the Health Insurance Portability and Accountability Act (HIPAA), the pressure to remain compliant (and avoid fines and penalties) can be intense. 

Here, we’ll look at the HIPAA rules for mailing PHI and show you how to keep sensitive data out of the wrong hands. 

4 key rules to ensure HIPAA-compliant mailing

HIPAA-compliant mail management can feel impossible to navigate, especially for newly formed healthcare startups. However, once you know the key rules, it becomes easier to make informed decisions when the scenario you’re facing doesn’t fit neatly within the lines. 

1. Know HIPAA’s definition of PHI

PHI is demonstrably easy to misclassify. Even healthcare professionals may assume it stands for personal health information or refers strictly to patient health records or identifiers.

In actuality, it refers to any form of medical information that a provider, health plan, public health authority, insurer, or educational institution either creates or receives for an individual. Essentially, any information relating to a patient’s health, whether past, present, or future, falls under HIPAA’s definition of PHI. 

In addition to medical records, under HIPAA laws, the following information would fall under PHI:

  • Explanation of benefits and coverage
  • Billing statements
  • Letters or reminder notices
  • At-home medical testing information

2.  Understand the Security Rule

The HIPAA Security Rule refers to a federal regulation for PHI that is sent or stored electronically (ePHI). According to this law, a healthcare organization needs robust administrative, technical, and physical security policies and protocols to protect patients’ health information. 

The Security Rule refers to the confidentiality, integrity, and security of all ePHI, and encompasses employee training, access controls, firewalls, and encryption. Under this rule, you might hire a 24/7 security team to guard your private servers, tighten up password protocols, or devise a site recovery plan in case of a natural or man-made disaster. 

3. Choose certified mail when sending PHI via postal mail

When sending PHI via postal mail, certified mail is always the more secure option. With tracking capabilities and signature requests, you can drastically reduce the odds of interference or misdelivery. 

Under HIPAA, you may actually be required to choose certified mail for certain types of medical records, so it’s safest to default to certified mail for all PHI correspondence. 

4. Ask partners to sign a Business Associate Agreement

A Business Associate Agreement (BAA) outlines your security protocols, specifying everything from your encryption standards to your ownership policies. BAAs are typically necessary if a business partner will work with or access your PHI at any point. 

But the rules for who needs to sign a BAA are somewhat vague and confusing, so here are a few examples to give you a better understanding. You might need a business partner to sign a BAA if:

  • You run a small clinic and must provide a patient’s medical codes to a third-party biller. 
  • You contract with a managed service provider (MSP) and authorize access to your network. 

However, covered entities are not required to enter into an official BAA. This includes the U.S. Postal Service and healthcare providers who maintain full control over their PHI. So, if you run a small practice where there is no disclosure of PHI, you wouldn’t need a BAA.  

Security considerations for sending healthcare information virtually

In 2019, only 15.4% of physicians offered telehealth services. In 2021, that number jumped up to 86.5%. 

Under HIPAA regulations, virtual environments have different security requirements than physical healthcare spaces. So healthcare organizations have to be very careful with their security protocols. 

If you transmit patient information electronically, it’s essential to use service providers that have built-in HIPAA and SOC-2 compliance protocols, like Stable. 

SOC-2

Security and Organization Controls 2 (SOC-2) is an assessment tool for evaluating privacy, security, and administrative processes in regard to confidentiality, integrity, and availability. 

SOC-2 isn’t healthcare-specific, and its standards do not perfectly align with HIPAA requirements. But they’re close enough that, if you comply with HIPAA, you should pass a SOC-2 audit with flying colors. 

SOC-2 breaks down into the following categories:

  • Security: Data must be protected from physical damage, unauthorized access, and unauthorized disclosure. 
  • Availability: You must have safeguards in place to ensure business continuity and data recovery in the event of a disaster, as well as effective capacity management to avoid availability issues caused by exceeding system limits.
  • Confidentiality: Organizations must first identify all PHI before implementing tools like encryption and access controls to protect it. The HIPAA Privacy Rule also states that staff must be trained on data confidentiality, so they’re aware of how to best prevent breaches.
  • Processing integrity: Data processing must be complete, accurate, timely, and authorized under SOC-2 guidelines. 

Organizations that fall flat in any of these categories could potentially risk their HIPAA compliance. If you’re not using the right virtual tools, you can open the door to data theft or loss of data integrity. 

So if you opt for virtual mail management, make sure you choose a provider that is SOC-2 certified, like Stable.

Traditional post vs. virtual mail: Which is better for protecting patient privacy?

HIPAA laws do not specifically forbid the use of standard transmission systems. In other words, you can send information via regular mail, email communication, or fax, and still remain compliant. However, each method has its own rules and regulations under HIPAA. 

For example, if you’re sending PHI via postal mail, you can only send certain information, and you must send it as first-class mail. If you email PHI, you have to take specific security precautions, which can include access controls, encryption, and network security protocols. 

If you fax PHI, which we don’t recommend due to its unreliability, you should choose a HIPAA-compliant service to reduce the odds of a violation.

 

If you’re in the healthcare industry, you should know the individual security risks associated with each communication method. For instance, email addresses are easy to mistype, and some of your messages may go straight to spam. Email is also highly prone to cyber threats like phishing attempts.

Many healthcare providers avoid email whenever possible, preferring to send and receive PHI by mail. This eliminates some risks but potentially raises new ones. We’ll look at the pros and cons of standard mail and virtual mail and how they stack up in terms of compliance. 

Traditional post: pros & cons 

Sending and receiving PHI via traditional mail may be the best and, in some cases, the only option for certain people, including older patients or those without regular internet access. 

Plus, with physical mail, you’re not subject to confusing technical requirements, which can change on a dime thanks to ever-evolving cyber-crime strategies. 

However, there are also risks attached to physical mail. Not only is mail easy to lose, but it’s more likely that another person, like a roommate or family member, will open the mail either by accident or on purpose. 

In addition, we’re in the midst of a surge in mail theft, with 250,000 reported instances in 2023

Virtual mail: pros and cons 

A virtual mailbox is a service that accepts mail on your behalf, scans the exterior of the envelope or package, and allows you to access and manage the mail digitally from wherever you are. It’s more convenient than a traditional mailbox, and providers typically have robust privacy and security measures in place to ensure data protection.

When you choose a HIPAA- and SOC-2-compliant virtual mailbox provider like Stable, you can enjoy the following benefits — without putting your organization at risk:

  • Cost and time savings: With a virtual mailbox, professionally trained on-site staff will sort your mail, scan letters, deposit checks, and shred documents upon request. This can save you and your team time while eliminating the need for traditional office space or a dedicated mail room. 
  • Improved organization: If you’re constantly wondering how to organize your sensitive mail, a mailbox service like Stable can help you tag and categorize your files, so you’re not wasting time hunting down the documents you need. 
  • Powerful integrations: When you integrate your virtual mailbox with tools like Google and Slack, you can pull in relevant data to your most widely used platforms. 
  • Convenient forwarding: Stable offers forwarding services for your letters and packages, so you can retain physical copies of your most important documents. 
  • Secure disposal: Stable will securely shred and dispose of any unwanted mail to ensure no private information falls into the wrong hands.

While a virtual mailbox service does add to your budget, the benefits are typically well worth the investment if you want to improve your HIPAA compliance.

Minimize security risks and increase efficiency with HIPAA-compliant virtual mail management

When you virtually manage your physical mail, you streamline your workflows and save you and your staff time and hassle. When you partner with a HIPAA- and SOC-2-compliant virtual mailbox provider like Stable, you significantly reduce your odds of a HIPAA violation. 

While you may not be able to eliminate all risks, you can take precautions that will help you avoid everything from hefty fines to reputation damage. If you can’t afford a time-consuming audit, security breach, or severe federal penalties, you need a secure, reliable, HIPAA-compliant mail solution.

Sign up for a virtual mailbox from Stable today and keep your mail management HIPAA compliant.

Get 50% off your first year with Stable

Get a special discount on our virtual address + mailroom sent to your inbox
Oops! Something went wrong while submitting the form.
A virtual address + mailroom for businesses
Learn More

Get 50% off our Grow plan

Get a special discount on our virtual address + mailroom sent to your inbox
Thank you! We'll email you soon with the referral code.
Oops! Something went wrong while submitting the form.
Remote Operations

HIPAA rules for mailing PHI: A guide to protecting patient privacy

May 30, 2024
Minh Mai

If you send or receive protected health information (PHI), you’re subject to certain regulations and requirements. 

Due to constant changes to the Health Insurance Portability and Accountability Act (HIPAA), the pressure to remain compliant (and avoid fines and penalties) can be intense. 

Here, we’ll look at the HIPAA rules for mailing PHI and show you how to keep sensitive data out of the wrong hands. 

4 key rules to ensure HIPAA-compliant mailing

HIPAA-compliant mail management can feel impossible to navigate, especially for newly formed healthcare startups. However, once you know the key rules, it becomes easier to make informed decisions when the scenario you’re facing doesn’t fit neatly within the lines. 

1. Know HIPAA’s definition of PHI

PHI is demonstrably easy to misclassify. Even healthcare professionals may assume it stands for personal health information or refers strictly to patient health records or identifiers.

In actuality, it refers to any form of medical information that a provider, health plan, public health authority, insurer, or educational institution either creates or receives for an individual. Essentially, any information relating to a patient’s health, whether past, present, or future, falls under HIPAA’s definition of PHI. 

In addition to medical records, under HIPAA laws, the following information would fall under PHI:

  • Explanation of benefits and coverage
  • Billing statements
  • Letters or reminder notices
  • At-home medical testing information

2.  Understand the Security Rule

The HIPAA Security Rule refers to a federal regulation for PHI that is sent or stored electronically (ePHI). According to this law, a healthcare organization needs robust administrative, technical, and physical security policies and protocols to protect patients’ health information. 

The Security Rule refers to the confidentiality, integrity, and security of all ePHI, and encompasses employee training, access controls, firewalls, and encryption. Under this rule, you might hire a 24/7 security team to guard your private servers, tighten up password protocols, or devise a site recovery plan in case of a natural or man-made disaster. 

3. Choose certified mail when sending PHI via postal mail

When sending PHI via postal mail, certified mail is always the more secure option. With tracking capabilities and signature requests, you can drastically reduce the odds of interference or misdelivery. 

Under HIPAA, you may actually be required to choose certified mail for certain types of medical records, so it’s safest to default to certified mail for all PHI correspondence. 

4. Ask partners to sign a Business Associate Agreement

A Business Associate Agreement (BAA) outlines your security protocols, specifying everything from your encryption standards to your ownership policies. BAAs are typically necessary if a business partner will work with or access your PHI at any point. 

But the rules for who needs to sign a BAA are somewhat vague and confusing, so here are a few examples to give you a better understanding. You might need a business partner to sign a BAA if:

  • You run a small clinic and must provide a patient’s medical codes to a third-party biller. 
  • You contract with a managed service provider (MSP) and authorize access to your network. 

However, covered entities are not required to enter into an official BAA. This includes the U.S. Postal Service and healthcare providers who maintain full control over their PHI. So, if you run a small practice where there is no disclosure of PHI, you wouldn’t need a BAA.  

Security considerations for sending healthcare information virtually

In 2019, only 15.4% of physicians offered telehealth services. In 2021, that number jumped up to 86.5%. 

Under HIPAA regulations, virtual environments have different security requirements than physical healthcare spaces. So healthcare organizations have to be very careful with their security protocols. 

If you transmit patient information electronically, it’s essential to use service providers that have built-in HIPAA and SOC-2 compliance protocols, like Stable. 

SOC-2

Security and Organization Controls 2 (SOC-2) is an assessment tool for evaluating privacy, security, and administrative processes in regard to confidentiality, integrity, and availability. 

SOC-2 isn’t healthcare-specific, and its standards do not perfectly align with HIPAA requirements. But they’re close enough that, if you comply with HIPAA, you should pass a SOC-2 audit with flying colors. 

SOC-2 breaks down into the following categories:

  • Security: Data must be protected from physical damage, unauthorized access, and unauthorized disclosure. 
  • Availability: You must have safeguards in place to ensure business continuity and data recovery in the event of a disaster, as well as effective capacity management to avoid availability issues caused by exceeding system limits.
  • Confidentiality: Organizations must first identify all PHI before implementing tools like encryption and access controls to protect it. The HIPAA Privacy Rule also states that staff must be trained on data confidentiality, so they’re aware of how to best prevent breaches.
  • Processing integrity: Data processing must be complete, accurate, timely, and authorized under SOC-2 guidelines. 

Organizations that fall flat in any of these categories could potentially risk their HIPAA compliance. If you’re not using the right virtual tools, you can open the door to data theft or loss of data integrity. 

So if you opt for virtual mail management, make sure you choose a provider that is SOC-2 certified, like Stable.

Traditional post vs. virtual mail: Which is better for protecting patient privacy?

HIPAA laws do not specifically forbid the use of standard transmission systems. In other words, you can send information via regular mail, email communication, or fax, and still remain compliant. However, each method has its own rules and regulations under HIPAA. 

For example, if you’re sending PHI via postal mail, you can only send certain information, and you must send it as first-class mail. If you email PHI, you have to take specific security precautions, which can include access controls, encryption, and network security protocols. 

If you fax PHI, which we don’t recommend due to its unreliability, you should choose a HIPAA-compliant service to reduce the odds of a violation.

 

If you’re in the healthcare industry, you should know the individual security risks associated with each communication method. For instance, email addresses are easy to mistype, and some of your messages may go straight to spam. Email is also highly prone to cyber threats like phishing attempts.

Many healthcare providers avoid email whenever possible, preferring to send and receive PHI by mail. This eliminates some risks but potentially raises new ones. We’ll look at the pros and cons of standard mail and virtual mail and how they stack up in terms of compliance. 

Traditional post: pros & cons 

Sending and receiving PHI via traditional mail may be the best and, in some cases, the only option for certain people, including older patients or those without regular internet access. 

Plus, with physical mail, you’re not subject to confusing technical requirements, which can change on a dime thanks to ever-evolving cyber-crime strategies. 

However, there are also risks attached to physical mail. Not only is mail easy to lose, but it’s more likely that another person, like a roommate or family member, will open the mail either by accident or on purpose. 

In addition, we’re in the midst of a surge in mail theft, with 250,000 reported instances in 2023

Virtual mail: pros and cons 

A virtual mailbox is a service that accepts mail on your behalf, scans the exterior of the envelope or package, and allows you to access and manage the mail digitally from wherever you are. It’s more convenient than a traditional mailbox, and providers typically have robust privacy and security measures in place to ensure data protection.

When you choose a HIPAA- and SOC-2-compliant virtual mailbox provider like Stable, you can enjoy the following benefits — without putting your organization at risk:

  • Cost and time savings: With a virtual mailbox, professionally trained on-site staff will sort your mail, scan letters, deposit checks, and shred documents upon request. This can save you and your team time while eliminating the need for traditional office space or a dedicated mail room. 
  • Improved organization: If you’re constantly wondering how to organize your sensitive mail, a mailbox service like Stable can help you tag and categorize your files, so you’re not wasting time hunting down the documents you need. 
  • Powerful integrations: When you integrate your virtual mailbox with tools like Google and Slack, you can pull in relevant data to your most widely used platforms. 
  • Convenient forwarding: Stable offers forwarding services for your letters and packages, so you can retain physical copies of your most important documents. 
  • Secure disposal: Stable will securely shred and dispose of any unwanted mail to ensure no private information falls into the wrong hands.

While a virtual mailbox service does add to your budget, the benefits are typically well worth the investment if you want to improve your HIPAA compliance.

Minimize security risks and increase efficiency with HIPAA-compliant virtual mail management

When you virtually manage your physical mail, you streamline your workflows and save you and your staff time and hassle. When you partner with a HIPAA- and SOC-2-compliant virtual mailbox provider like Stable, you significantly reduce your odds of a HIPAA violation. 

While you may not be able to eliminate all risks, you can take precautions that will help you avoid everything from hefty fines to reputation damage. If you can’t afford a time-consuming audit, security breach, or severe federal penalties, you need a secure, reliable, HIPAA-compliant mail solution.

Sign up for a virtual mailbox from Stable today and keep your mail management HIPAA compliant.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
A virtual address + mailroom for businesses
Learn More

Get 50% off our Grow plan

Get a special discount on our virtual address + mailroom sent to your inbox
Thank you! We'll email you soon with the referral code.
Oops! Something went wrong while submitting the form.