Lob’s website experience is not optimized for Internet Explorer.
Please choose another browser.

Tutorials
July 20, 2021

How to Send HIPAA-Compliant Direct Mail at Scale

In 2020, Premera Blue Cross got hit with a $6,850,000 settlement for exposing the private health information (PHI) of 10,466,692 people. If you think there’s no way your company could ever make that kind of mistake, you should also know that many healthcare companies received over $100K in fines for HIPAA violations affecting only one person.

When you’re sending healthcare communications on such a massive scale, it’s all too easy for compliance issues to get overlooked. A HIPAA-certified direct mail partner that provides automation and tracking will help you stay compliant and avoid a multi-million dollar fine.

Understand HIPAA’s information and delivery restrictions

While HIPAA only has five “rules,” each of these rules is broken down into a variety of sub-rules, lists, and more. Memorizing these HIPAA laws word for word just isn’t realistic. You need a cheat sheet.

When it comes to direct mail in particular, the most important thing to remember is what you can and cannot send. Direct mail is important for patient correspondence, but you cannot include any information that could expose a person’s identity, such as:

  • Identification information like addresses, fingerprints, social security numbers, date of birth, photos, IP addresses, driver’s license numbers, etc.
  • Contact information such as addresses, phone numbers, and email addresses
  • Healthcare information including conditions, treatment plans, provider names, financial status, record numbers, etc.

What you can send:

  • Correspondence such as invoices, letters, or statements
  • Educational information about different treatment options or medical procedures
  • Explanations of benefits or coverage (EOCs and EOBs)
  • Notices on potential security breaches or general office announcements

Healthcare companies should avoid using standard mail to send any health information. Not only does it violate HIPAA, but it also poses a privacy risk if someone other than the intended recipient were to open the mail. Your options are:

  • Certified mail which requires a signature
  • First-class mail which is the bare minimum to meet HIPAA requirements

Using these methods will protect your patients’ privacy and protect you from unauthorized disclosure fines.

Set up triggers

Manually printing and mailing invoices, educational brochures, and EOCs isn’t scalable when you have thousands (or millions) of patients. Instead, automate it! Find a direct mail service like Lob that can integrate with your current systems to trigger statements, invoices, and more based on digital events.

No more printing, filling envelopes, and delivering letters by hand days or weeks after an appointment. You can send direct mail with automatic triggers almost immediately—at scale—and have it delivered within a few days.

This not only helps you deliver communication more quickly, but it also helps you save thousands of hours of employee time. For example, healthcare company VillageCareMax saves over 4,000 hours a year by using Lob to automate their direct mail communication with patients.

This automation also improves the patient experience and removes the friction that often results in delayed payments or miscommunication. In fact, trigger-based sends helped women’s health company Myriad improve collections by 20%.

Ensure compliance

Even if you’ve done everything you can to stay compliant, the threat of an audit can still have you and your employees constantly scrambling to check and recheck your records and mailings. Luckily, there are even more measures you can take to ensure compliance and ease the fear of audits. Companies like Lob offer HIPAA-compliant mailings and full encryption during the production process.

For example, Clover was spending a huge amount of time preparing for audits. Now they use Lob’s API to remain compliant, so their employees can focus on more high-level concerns.

Use an address verification tool

Manually typing or writing addresses—whether it’s you entering addresses into your system or your patients filling out a form—leaves too much room for error. Plus, sending medical records to the wrong address, even by accident, is a HIPAA violation.

Find a direct mail platform like Lob that offers address verification and tracking so you can make sure your direct mail gets delivered to the right person. This will help you stay compliant and reduce the likelihood someone other than your patient will open the mail.

Partner with an expert

Remaining HIPAA-compliant is necessary, but it doesn’t have to be difficult. Partnering with the right direct mail service that knows its stuff will help you rest easy knowing your mail is compliant, on time, and reaching the intended recipient. When you’re not worrying about HIPAA, you can spend more time caring for and engaging with your patients and improving your provider-patient relationship.


This blog provides general information and discussion about direct mail marketing and related subjects. The content provided in this blog ("Content”), should not be construed as and is not intended to constitute financial, legal or tax advice. You should seek the advice of professionals prior to acting upon any information contained in the Content. All Content is provided strictly “as is” and we make no warranty or representation of any kind regarding the Content.

Continue Reading