Is Postmark HIPAA Compliant?

Postmark is a transactional email service used by many companies to send activation emails, e-receipts, password reset messages, but can the service be used by healthcare organizations? Is Postmark HIPAA compliant?

When new users sign up for a service, register to receive reports, or reset the passwords on their accounts, they want to receive emails instantly. Delayed emails often result in support calls or emails that staff have to deal with, which can take them away from other important tasks. It is therefore advantageous to use a reliable, automated service to send transactional emails instantly.

Healthcare organizations can benefit from using such a service, but there are potential issues. HIPAA covered entities need to ensure that any email platform used is compliant with HIPAA Rules.

If transactional emails include any electronic protected health information (ePHI), the email service provider would be considered a business associate. Safeguards would need to be incorporated into the platform to protect any ePHI from unauthorized access to the standards stipulated in the HIPAA Security Rule.

Before the service could be used with ePHI, the email service provider would also have to enter into a business associate agreement with the covered entity and agree to comply with HIPAA Rules.

There have been several HIPAA enforcement actions against HIPAA-covered entities that have engaged with business associates without first obtaining a signed, HIPAA-compliant business associate agreement.

Is Postmark HIPAA Compliant?

Postmark has addressed the question of HIPAA compliance in the support section of its website. Postmark states that the company is not prepared to sign business associate agreements with healthcare organizations or service companies that are required to comply with HIPAA Rules and confirms that Postmark is not a HIPAA compliant email service.

Healthcare organizations should therefore seek a different email service provider if they need to send HIPAA-compliant emails.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.