Q&A: HIPAA-compliant mailings

Q. I work at a marketing company, and we are trying to figure out what exactly we can put on a postcard. What is required, per HIPAA regulations, to be fully compliant if we were to do things like dental patient reminders? We would have patient information from the offices. How would we need to handle that information? What are we allowed to include in our designs?

A. First, your company would need to execute a business associate agreement (BAA) with the covered entity (CE). Healthcare providers can’t share even patient names and addresses for sending out appointment reminders unless a BAA has been executed. If the postcards include advertising or other forms of marketing as defined by HIPAA, you or the CE would need to obtain an authorization from patients before sending the postcards.

As far as the postcards go, ideally sealed envelopes should be used. If postcards are used, PHI needs to be limited to patients’ names and addresses. Postcards can’t be used if you plan on including additional PHI, such as birthdate, medical record number, and so forth.

In addition, postcards can’t be used if someone reading the postcard could easily determine what the recipient’s medical condition is. For example, sending out a postcard reminding a patient he or she needs to schedule a follow-up appointment with an oncologist is not OK. You can send out appointment reminders about an upcoming dental appointment or annual physical, but not preop appointments, appointments with specialists, and so forth.

Editor’s note: This question was answered by Chris Apgar, CISSP. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Editor Nicole Votta at nvotta@hcpro.com.