Direct Mail

HIPAA Rules for Sending Medical Records by Postal Mail

By 1 February 2024April 29th, 2024No Comments
hipaa gdpr compliant direct mails

HIPAA And Postal Mail For Sending Medical Records Effectively: What are the Rules?

Are you a healthcare provider looking for a reliable and safe way to send medical records to patients? If yes, we can help you find a solution and let you know the related HIPAA rules.

hipaa gdpr compliant direct mails

Sending medical records by mail seems simple until healthcare providers realize this channel is also covered under HIPAA. But, there are many ways to prepare your mail items in a compliant manner and send them securely.

In this blog, we will talk about HIPAA and postal mail—how to send it, what are the rules, etc. We will also discuss some other ways to send medical records that you could consider.

What is HIPAA?

We hear the term “HIPAA” often, but very few people know about its establishment and elements. The Health Insurance Portability and Accountability Act (HIPAA) came into force in 1996 for two prime objectives:

  • To ensure that individuals continued their health insurance plans between jobs
  • To ensure confidentiality and privacy of your patients' data

The HIPAA Privacy Rule lays down strict regulations for healthcare providers sending medical records by mail, email, and other channels. It limits the disclosure and use of patient data and gives individuals the right to control their personal information.

This rule also states several protocols that healthcare institutions must follow while releasing patient data. Any medical provider that violates this rule is subject to heavy penalties.

Thus, before mailing a bill or test report to a patient, understand the HIPAA guidelines for medical records. It helps stay legally sound and serve your patients better by protecting their privacy rights.

What Is Protected Health Information (PHI)?

To prevent your institution from violating the rules of HIPAA and medical records, you must be aware of what Protected Health Information (PHI) is. It includes every single detail that can disclose an individual's identity or medical condition, like:

  • Patient names
  • Locations or addresses (street address, city, state, ZIP code)
  • Dates (admission, discharge, birth, death dates, etc.)
  • Fax and phone numbers
  • Email addresses
  • Health plan numbers
  • Medical record numbers
  • Social security numbers
  • Internet Protocol (IP) addresses
  • Certificates or licenses
  • Biometric identifiers, like voice recognition, fingerprints, etc.
  • Facial images, etc.

The conversations between you and your patients are also classified as PHI, making you accountable to protect it. When mailing PHI, you should ensure that you select a HIPAA-compliant direct mail services provider like PostGrid to avoid potential issues.

Which Types of Businesses Must Be USPS HIPAA-Compliant?

Before getting into the details about HIPAA and postal mail, let’s see which types of organizations are liable to follow the HIPAA rules. 

  • Health plans: Company health plans, Health Membership Organizations (HMOs), Government programs like Medicaid, and health insurance companies fall under this category.
  • Healthcare providers: This category includes all healthcare providers who transmit PHI electronically. It consists of hospitals, clinics, nursing homes, psychologists, pharmacies, dental clinics, etc.
  • Healthcare clearinghouses: All businesses that process PHI on behalf of other healthcare entities are referred to as clearinghouses.
  • Business associates: The HIPAA guidelines for medical records also apply to the business associates of all the covered entities. Business associates include all companies that assist a healthcare provider in performing its functions. For example, a claims processing company that helps hospitals in claims management is a business associate.

Sending Medical Records by Mail

At PostGrid, we get several questions, such as is regular mail is HIPAA compliant print and mail. For starters, all covered entities are permitted to send patient bills, records, and other types of medical documents via post. They can also use other carriers like DHL and FedEx as long as they are HIPAA compliant.

However, remember that you cannot send medical documents using Standard or Bulk Mail options. Instead, opt for First-Class Mail as it is an acceptable mailing option under HIPAA.

First-Class Mail helps you send medical records within one to five business days. Thus, there are lower chances of your documents getting misplaced or lost. Also, you can pair up First-Class Mail with other services like Registered Mail for enhanced security.

Related: Healthcare Communication

Things to Remember While Sending Medical Records by Post

The following pointers will help you remain HIPAA compliant while using postal mail to communicate with patients:

Ditch Postcards

Always send your medical documents via letter envelopes or self-mailers as they eradicate the risk of exposures and data breaches. Also, sending medical data via postcards looks unprofessional, which is more reason to use other types of direct mail formats.

Avoid Overstuffing Envelopes

While sending medical records via mail, avoid inserting too many letters into the same envelope. For example, if you need to mail a test report, consent form, and invoice to the same patient, you may send them in a single envelope to save postage. However, it can lead to an envelope tear or damage, exposing your patient data to postal workers and other people.

Don’t Use Plastic or Windowed Envelopes

There are many cases wherein a covered entity had to pay hefty fines for using windowed envelopes. Such envelopes fail to protect the PHI printed on the inside, leading to a data breach. Even if you use windowed envelopes, ensure that the patient's private data isn't displayed openly.

Another thing that you can do to avoid violating the HIPAA and postal mail rules is not to use plastic envelopes as they are transparent. Instead, use thick, sturdy envelopes to help you send medical records and ensure patient confidentiality.

Don’t Print Patient Data On Outer Covers

To remain USPS HIPAA-compliant, you must only print a patient’s full name and delivery address on the outer covers of your mailpieces. Refrain from printing any other details like a patient’s social security number or health plan number on the outside.

Employ a HIPAA-Compliant Direct Mail Company

Covered entities must select a HIPAA-compliant print and mail partner like PostGrid to help them keep up with the law and mail patients safely. PostGrid’s direct mail marketing API has all the updated HIPAA protocols in place to help you handle sensitive data.

Also, PostGrid helps healthcare providers mail several types of documents, like:

Send Medical Data Via Certified Mail

Certified Mail offers several advantages, like mail tracking, signature on delivery, mailing receipt, etc. You can add this service to First-Class Mail to ensure that your mail item reaches the authorized recipient only.

Sending Certified Mail is the best way to follow the HIPAA guidelines for medical records, guaranteeing delivery and giving you proof of mailing. In case of a legal dispute, you can present your receipt as evidence and prove that you followed all the HIPAA rules.

Other Ways to Send Medical Documents to Patients

Below are some more methods that you can look into for transmitting patient data under the HIPAA laws:


You may think that email is a convenient way to send PHI as there is no need to print or mail anything physically. However, it is not so simple! Covered entities must encrypt all medical data they send via email and only allow the patient to decrypt the same.

Remember that you also need to verify your patient’s identities before they can decrypt your emails. Thus, most healthcare providers opt for sending medical records by mail to avoid all this legwork.


Faxing PHI is another convenient and quick method, but it can also lead to some problems. Most healthcare clinics or hospitals have their fa machines installed in public spaces, making it impossible to keep PHI private.

Thus, you can fax PHI only if:

  • Your fax machine is kept in a locked room
  • Your faxes are not printed automatically. According to HIPAA, PHI faxes must be stored in the machine’s memory until an authorized person can print them

HIPAA and Postal Mail Business Associate Agreement

Before sending medical records via email HIPAA or any other mode, you should also know about Business Associate Agreements (BAAs). If you choose to send PHI through email or fax, your service providers must sign a BAA with you. This way, you can ensure that they aren’t using your data illegally and are liable for data breaches. 

However, you don’t need a BAA for sending medical records via mail as postal carriers cannot see or store the contents of your documents. They just transport your envelopes from one place to another and have no means to access PHI. 

How Can PostGrid Help You Send HIPAA-Compliant Mail?

As said earlier, PostGrid is compliant with several data security laws, like HIPAA, PIPEDA, and SOC-II. Our direct mail API and software are both in-built to keep your data confidential and secure. Moreover, you can also edit your user permissions to ensure that only authorized users can access your patient details.

PostGrid offers all-inclusive services, including design, printing, mailing, and tracking. And it prioritizes your data privacy at every stage, making PostGrid an excellent choice for all compliance teams.

To unlock more of our features and get started with our HIPAA-compliant direct mail API for sending medical records by mail, click here

Ready to Get Started?

Start transforming and automating your offline communications with PostGrid