HEALTHCARE COMPLIANCE
HIPAA & PostKnock
PostKnock is a healthcare marketing tool, not a clinical system. The data customers upload for direct mail is basic contact information — name, mailing address, phone, email — not Protected Health Information. That means most healthcare-practice use of PostKnock sits comfortably inside HIPAA's marketing and treatment/healthcare-operations exceptions, and no Business Associate Agreement is required.
This page explains how the law lines up with the product, what you can and can't upload, and why we don't sign BAAs.
This page is not legal advice. Consult your compliance officer for your specific situation. The authoritative statement of our position is in the Terms of Service.
What HIPAA covers (and what it doesn't)
The HIPAA Privacy Rule regulates how covered entities (your practice) and business associates (vendors who handle PHI on your behalf) use and disclose Protected Health Information. PHI is health information that identifies an individual — diagnoses, treatments, conditions, medications, procedures, lab results, appointment reasons, or other health-related descriptors combined with someone's identity.
A name and address by themselves are not PHI. They become PHI only when combined with health information. PostKnock is designed so that the data you upload stays on the contact-data side of that line.
Postcard recall reminders sent by your practice to its existing patients are also typically permissible under HIPAA's Treatment, Payment, and Operations (TPO) provision — you do not need separate authorization to remind a patient their annual exam is due, and you do not need a BAA with the company that helps you send the postcard, so long as that company isn't handling PHI in the process.
PostKnock's design is conservative on exactly that point: the data you upload is contact data, the postcard copy doesn't reference clinical specifics, and the address side discloses only what's required to mail the card.
Why PostKnock does not sign BAAs
A Business Associate Agreement is a contract between a covered entity and a vendor that handles PHI on its behalf. Because PostKnock is not designed to receive or store PHI — only basic contact data plus the postcard copy and call scripts you author — the vendor-handles-PHI premise of a BAA doesn't apply.
So we don't sign BAAs. That's not us avoiding compliance work; it's us being honest about what the product is. Signing a BAA we don't need would create false expectations on both sides — that PostKnock is reviewing uploads for PHI, that it's the right tool for use cases that genuinely require BAA coverage. It isn't.
This approach is contemplated by HIPAA's marketing and treatment/healthcare-operations exceptions (45 CFR 164.501 / 164.508). Practices that limit uploaded data to permitted contact information can use PostKnock without a BAA. Practices whose intended use truly requires a Business Associate — for example, communications that include treatment details for a specific patient — should use a HIPAA-covered vendor for that use case. PostKnock isn't the right tool for that.
If you have a compliance officer asking whether they need a BAA from PostKnock before you can use the product, this page and the Terms of Service are the answer: no, because the data flow doesn't include PHI.
What you can and can't upload
To keep your use of PostKnock clean and BAA-free, the rule is simple: upload contact data, not health data. The Terms of Service have the complete list; here it is in plain English:
✓ OK to upload
- Name (first, last)
- Mailing address
- Phone number
- Email address
- Your own non-sensitive identifiers (internal patient ID, list tag)
- Last-visit date or basic recall timing tag, with no clinical specifics attached
✗ Do NOT upload
- Diagnoses or conditions
- Treatments, procedures, or medications
- Lab results or test outcomes
- Appointment reasons that describe care
- Any health-related descriptor combined with the contact's identity
- Free-form notes containing clinical content
PostKnock does not scan, scrub, or monitor uploads for prohibited content — you are responsible for what you upload. If prohibited data is discovered on an account, we may remove it and, in serious or repeated cases, suspend or terminate the account. See the Terms for the full statement and indemnification.
How the product is designed to stay on the right side of the line
- ✓No PHI in postcard copy by default. Default templates use generic copy: "Time for your annual visit", "Your records show you're due for a check-up". Diagnoses, treatments, and medications never appear unless you explicitly add them — and you shouldn't.
- ✓Recipient name on address side only. The patient name appears only in the USPS-required address block. The message side never names the patient.
- ✓Generic recall timing. You can target "patients last seen more than 6 months ago" without uploading the reason for the visit. Bring the contact list, not the chart.
- ✓Encrypted at rest and in transit. Contact data lives in our US-based AWS infrastructure with single-tenant isolation. Each practice sees only its own data.
- ✓Audit logging. Every contact import, edit, deletion, and postcard send is timestamped and attributable to a specific user.
Data flow at a glance
When you send a postcard through PostKnock, four parties touch the data — none of which is PHI, by design:
| Party | Role | Data they touch |
|---|---|---|
| Your practice | Owns the patient record. Decides which patients to mail, which template, which copy. You hold the only PHI. | PHI lives in your PMS / EHR — not exported to PostKnock. |
| PostKnock | Stores marketing contact data and campaign metadata. Renders postcards. Triggers calls. Never the system of record. | Name, address, phone, email, your campaign copy. Not PHI. |
| Print/Mail Vendor | Receives the rendered PDF and address, prints, and submits to USPS. | Name + mailing address only. Not PHI. |
| USPS | Delivers the printed postcard. | Mail piece in transit. HIPAA conduit exception applies. |
In plain English: your practice retains ownership of all patient records; PostKnock processes only contact data for the limited purpose of mailing; the print/mail subprocessor handles printing and USPS submission with the minimum data required; USPS is a postal-service conduit. No party in this chain is handling PHI, and that's intentional.
Per-vertical HIPAA-aware templates
Every healthcare vertical we ship has templates that follow the design rules above — PHI-free copy, recipient name on address only, no clinical specifics in the message body. Browse the vertical pages for examples:
Disclaimer
This page describes PostKnock's product design choices and our standard contractual posture. It is not legal advice. HIPAA compliance for your practice ultimately rests with you (the covered entity). PostKnock's role is to provide a marketing tool that doesn't require BAA coverage, provided you follow the upload rules described above. Consult your compliance officer or healthcare attorney before launching any patient-communication program. The authoritative statement of PostKnock's contractual position is in the Terms of Service.
FAQ
Are postcard recall reminders permissible under HIPAA?▼
Generally yes, under the Treatment, Payment, and Operations (TPO) provision — reminders to existing patients about their care fall within permitted disclosures. We strongly recommend reviewing the specific copy and your authorization workflow with your compliance officer. This page is not legal advice.
Does PostKnock sign a BAA?▼
No. PostKnock is built so the data customers upload is basic marketing contact data — not PHI — which falls within HIPAA's marketing and treatment/healthcare-operations exceptions and doesn't require a Business Associate Agreement. Keep uploaded data limited to permitted contact information (no diagnoses, treatments, or health descriptors) and you can use PostKnock without a BAA. If your intended use requires a Business Associate, PostKnock isn't the right tool for that use case — use a HIPAA-covered vendor instead. The authoritative statement is in our Terms of Service.
Can I include diagnoses or treatment names on a postcard?▼
We strongly advise against it, and our default templates never do. The address side displays only the recipient name. The message side stays generic (“Time for your annual visit”, not “Time for your colonoscopy follow-up”). If you have a specific medical-recall use case that requires more, talk to your compliance officer first.
What about marketing communications under HIPAA?▼
HIPAA's marketing rules treat communications about your own products and services within an existing patient relationship as TPO. Communications encouraging use of a product or service from a third party usually require authorization. PostKnock postcards default to the former — your practice promoting your own services to your existing patients.
What about your print/mail subprocessor?▼
Because the data PostKnock handles is basic contact information (name, address, phone, email) — not PHI — the data we pass to our print/mail subprocessor is also not PHI. The subprocessor only ever receives what it needs to print and mail the postcard: recipient name and mailing address.
Where is patient data stored?▼
Encrypted at rest in our US-based AWS infrastructure. Encrypted in transit. Single-tenant data isolation: each practice's data is scoped by tenant ID and never co-mingled with another practice's data in queries or exports.
Can I delete patient records?▼
Yes. Deletion of contacts and campaigns is supported in-app. Deletion is a hard delete on records, with a 30-day retention of audit logs noting the deletion event. Complete account deletion is supported by emailing legal@postknock.com.
Questions about compliance?
Email legal@postknock.com with vendor security questionnaires, data-processing questions, or anything specific to your compliance program. (We don't sign BAAs — see above for why — but other compliance questions are welcome.) We respond within 1–2 business days.
Start Free