Is Postmark HIPAA Compliant?
Postmark is not HIPAA compliant and cannot be used by HIPAA covered organizations to send emails containing Protected Health Information (PHI) unless the subject of the PHI has provided an authorization allowing the disclosure of their PHI. While this scenario is unlikely for bulk mail, there are occasions when a non-compliant service can be used for “consented” transactional emails.
Postmark (also known as Postmark App) is an email service provider that provides SMTP services to improve the delivery speed and delivery rates of bulk email (i.e., marketing emails, newsletters, etc.), and the accountability of transactional emails (i.e., welcome emails, password reset emails, etc.). Email service providers such as Postmark can be valuable to organizations that want to run large email promotions, but who need to keep their own mail servers free for operational purposes.
With regards to the question is Postmark HIPAA compliant, the email service only needs to be HIPAA compliant if outbound emails contain PHI. When marketing emails, newsletters, and other general healthcare bulletins (i.e., non-personal reminders to get a flu jab) do not contain PHI, it is not necessary for an email service provider to be HIPAA compliant.
Is Postmark HIPAA Compliant?
The provider states on its website “Postmark is not HIPAA compliant, so we do not recommend using out platform if you need to send HIPAA compliant emails. We also cannot sign any Business Associate Agreements around HIPAA”. However, while it is not possible to make Postmark HIPAA compliant by – for example – encrypting emails (because Postmark will not sign a Business Associate Agreement), there are circumstances in which it is permissible to send or receive PHI via the Postmark platform.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
These circumstances exist when a patient initiates contact via email or requests communications by email. According to HHS’ Office for Civil Rights, in both circumstances the Privacy Rule permits healthcare providers to discuss health issues and treatments with patients by email; and, whereas some email service providers prohibit creating, collecting, storing, or transmitting PHI on their platforms (in their Terms of Service), Postmark does not prohibit such activities in its Terms of Service.
These “consented” circumstances are rare because healthcare providers using the Postmark platform for bulk mail should be using a HIPAA-compliant email service for transactional emails. When they do occur, it is a best practice to advise patients of the risks of communication via an unsecure channel and offer a safer alternative. The warning and patients’ responses should be documented – especially if patients wish to continue communicating via an unsecure email channel.
Take Care when Using Postmark
There are justifiable reasons for organizations in the healthcare industry to use Postmark for certain activities, but organizations must take care to isolate any activities that involve uses and disclosures of PHI. While there are “consented” circumstances when uses and disclosures of PHI via an unsecured email service are permitted by the Privacy Rule, these are rare and the potential exists for violations of HIPAA if a patient withdraws their consent and the withdrawal is overlooked.
