HEALTHCARE COMPLIANCE
HIPAA & PostKnock
PostKnock is built so healthcare practices can run patient recall and reactivation postcards without the kind of compliance friction that derails marketing projects. This page explains how, in plain English.
This page is not legal advice. Consult your compliance officer for your specific situation.
What HIPAA covers (and what it doesn't)
The HIPAA Privacy Rule regulates how covered entities (your practice) and business associates (vendors who handle PHI on your behalf) use and disclose Protected Health Information. PHI is health information that identifies an individual, including the address tied to a patient record.
Postcard recall reminders sent by your practice to existing patients are typically permissible under HIPAA's Treatment, Payment, and Operations (TPO) provision — you do not need separate authorization to remind a patient that their annual exam is due. The Office for Civil Rights has issued guidance affirming this.
Where it gets nuanced: the address side of any postcard is regulated. Putting a recipient's name and address on the outside of a postcard, with content visible to anyone who handles the mail, means the message side cannot disclose the patient's specific condition or treatment without authorization. The address side itself, identifying that someone is a patient of your practice, is generally acceptable for TPO communications but is the maximum disclosure most practices want to make.
PostKnock's defaults are conservative on this exact point.
PostKnock's healthcare design choices
- ✓No PHI in postcard copy by default. Default templates use generic copy: "Time for your annual visit", "Your records show you're due for a check-up". Diagnoses, treatments, and medications never appear unless you explicitly add them.
- ✓Recipient name on address side only. The patient name appears only in the USPS-required address block. The message side never names the patient.
- ✓Variable fields are guarded. Practices can add merge fields for first name, but the system warns when adding clinical-sounding text to the message body.
- ✓Encrypted at rest and in transit. All patient data lives in our US-based AWS infrastructure with single-tenant isolation. Each practice sees only its own data.
- ✓Audit logging. Every contact import, edit, deletion, and postcard send is timestamped and attributable to a specific user.
Vendor responsibility split
When you send a recall postcard through PostKnock, four parties touch the data. Here's who is responsible for what:
| Party | Role | HIPAA Status |
|---|---|---|
| Your practice | Owns the patient record. Decides which patients to mail, which template, which copy. | Covered Entity |
| PostKnock | Stores contact and campaign data. Renders postcard PDFs. Triggers calls. Never the system of record. | Business Associate (BAA coming — request early access) |
| Lob | Receives the rendered PDF and address, prints, and mails via USPS. | Subprocessor (BAA with Lob) |
| USPS | Delivers the printed postcard. | Conduit (HIPAA conduit exception) |
In plain English: your practice retains ownership of patient data; PostKnock processes it for the limited purpose of mailing; Lob is our print/mail subprocessor; USPS is treated as a postal-service conduit and is exempt from BAA requirements under HIPAA.
Business Associate Agreement (BAA)
A BAA is required by HIPAA whenever a covered entity uses a business associate to handle PHI. PostKnock's standard BAA is currently in preparation — we're working with healthcare-experienced counsel and our subprocessor (Lob) to finalize terms before offering it on Pro and above.
To get on the early-access list: email compliance@postknock.com from your practice domain with a brief note about your use case. We'll notify you when the BAA is ready to sign and prioritize early-access slots by demand.
Until the BAA ships, healthcare practices should treat PostKnock as a non-PHI marketing tool: address-only patient names, no diagnoses or treatments referenced in postcard copy. The default templates already follow these rules.
Per-vertical HIPAA-aware templates
Every healthcare vertical we ship has templates that follow the design rules above — PHI-free copy, recipient name on address only, no clinical specifics in the message body. Browse the vertical pages for examples:
Disclaimer
This page describes PostKnock's product design choices and our standard contractual posture. It is not legal advice. HIPAA compliance is a shared responsibility between you (the covered entity) and PostKnock (your business associate). Consult your compliance officer or healthcare attorney before launching any patient-communication program.
FAQ
Are postcard recall reminders permissible under HIPAA?▼
Generally yes, under the Treatment, Payment, and Operations (TPO) provision — reminders to existing patients about their care fall within permitted disclosures. We strongly recommend reviewing the specific copy and your authorization workflow with your compliance officer. This page is not legal advice.
Will PostKnock sign a BAA?▼
Our standard BAA is in preparation — we're working with healthcare-experienced counsel and our subprocessor (Lob) to finalize terms. Email compliance@postknock.com to be added to the early-access list and we'll notify you when it's ready to sign.
Can I include diagnoses or treatment names on a postcard?▼
We strongly advise against it, and our default templates never do. The address side displays only the recipient name. The message side stays generic (“Time for your annual visit”, not “Time for your colonoscopy follow-up”). If you have a specific medical-recall use case that requires more, talk to your compliance officer first.
What about marketing communications under HIPAA?▼
HIPAA's marketing rules treat communications about your own products and services within an existing patient relationship as TPO. Communications encouraging use of a product or service from a third party usually require authorization. PostKnock postcards default to the former — your practice promoting your own services to your existing patients.
Is Lob HIPAA-compliant?▼
Lob, our print and mail subprocessor, signs BAAs with healthcare customers. PostKnock's BAA covers the data flow from PostKnock to Lob.
Where is patient data stored?▼
Encrypted at rest in our US-based AWS infrastructure. Encrypted in transit. Single-tenant data isolation: each practice's data is scoped by tenant ID and never co-mingled with another practice's data in queries or exports.
Can I delete patient records?▼
Yes. Deletion of contacts and campaigns is supported in-app. Deletion is a hard delete on records, with a 30-day retention of audit logs noting the deletion event. Complete account deletion is supported by emailing compliance@postknock.com.
Questions about compliance?
Email compliance@postknock.com with your BAA request, vendor security questionnaire, or specific compliance question. We respond within 1–2 business days.
Start Free