You may have recently seen an advertisement about HIPAA and postcards. These postcards appear to be from the Office of Civil Rights (OCR) and ask the recipient to complete a mandatory risk assessment. But that’s not the case. The postcard actually directs the recipient to a website that’s run by an unofficial government agency. That site could be a fake or worse, it could be infected with malware.
Even though HIPAA doesn’t specifically prohibit using postcards, you should follow the privacy laws for your business. The law requires that you post a privacy notice describing how you plan to use the information you collect from patients. This notice should be minimal for its intended purpose and accommodate any requests from patients for confidential communications. This may sound like an oxymoron, but it’s actually not that difficult to follow. However, you should always take the time to get the consent of your patients before using postcards or any other means to collect PHI.
Using postcards to collect PHI is an especially big red flag. HIPAA only permits incidental disclosures of PHI if it’s the bare minimum. A sign-in sheet may contain no information about the patient’s medical condition, but a postcard containing appointment information is exempt from this rule. You must ensure that the business associate you use adheres to the HIPAA regulations and respects the patient’s privacy.
hipaa patient mailers 