Mailing important patient data can be daunting, but in the world of healthcare, it’s a necessity. Whether you have a patient asking for hard copies of their medical history or come across something that legally needs physical documentation, mailing medical records isn’t going away anytime soon.

As a healthcare provider or someone who handles Protected Health Information (PHI) regularly, you probably know the word HIPAA well. In this article, we’re breaking down what HIPAA actually says about mailing medical records, the do’s and dont’s, and how you can stay compliant (and avoid headaches while you’re at it).

Can you legally send medical records? HIPAA rules explained

As a quick refresher, HIPAA, short for the Health Insurance Portability and Accountability Act, was created to protect the privacy and security of sensitive patient information. If you're a healthcare provider, billing service, or any other covered entity, you have a professional duty to ensure patient data remains confidential, whether it's communicated electronically, spoken, or sent via physical mail.

What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule, established in 2000, sets the national standards for protecting individuals’ medical records and other PHI. It ensures that patients’ health data is handled with care, confidentiality, and respect, whether that information is shared verbally, electronically, or in paper form.

This rule applies to:

  • Healthcare providers (i.e., doctors, clinics, dentists, psychologists)
  • Health plans (i.e., insurance companies, HMOs, Medicare, Medicaid)
  • Healthcare clearinghouses (entities that process nonstandard health information)
  • Business associates (third parties who perform services involving PHI on behalf of covered entities, including virtual mailbox providers)

Together, these are known as “covered entities”, and they must follow strict guidelines on when and how PHI can be used or disclosed.

Failing to comply with the Privacy Rule can lead to serious consequences, including civil and criminal penalties, so it’s important that anyone handling PHI understands and adheres to its guidelines, especially when mailing physical records.

What counts as Protected Health Information (PHI)?

PHI includes any individually identifiable health information held or transmitted in any form, be it electronic, paper, or spoken. If the information can be used to identify a patient and relates to their health, it’s PHI.

Some common examples include:

  • Names
  • Addresses
  • Birth dates
  • Medical record numbers
  • Diagnoses
  • Treatment plans
  • Insurance and billing details

Even mailing something as simple as a billing statement that includes a name and treatment code falls under HIPAA’s umbrella.

Did you know? A recent survey by The HIPAA Journal found that more than 90% of organizations now provide annual HIPAA refresher training to staff who handle PHI.

What is the Patient Right to Access Rule?

Under HIPAA’s Right of Access Rule, patients have the legal right to view and obtain copies of their health records within 30 days of the request. This includes paper copies mailed directly to them or to a third party they designate.

In the event that a patient requests a copy of their medical records, you must:

  • Provide access in the format requested (including mail, if specified)
  • Respond in a timely manner (usually within 30 calendar days)
  • Charge only a reasonable, cost-based fee for labor, supplies, and postage

Failing to meet these requirements can lead to HIPAA enforcement actions and fines, so timely, accurate mailing is vital.

Did you know? VPM offers a HIPAA-compliant mail handling solution that ensures sensitive patient information is processed securely and delivered promptly. Whether you're sending out records on behalf of your practice or receiving patient correspondence, VPM provides a trusted system for managing incoming and outgoing physical mail. This helps you meet Right of Access deadlines without compromising security or efficiency.

What is the HIPAA Security Rule?

While the Privacy Rule focuses on when and how PHI can be shared, the HIPAA Security Rule hones in on how electronic PHI (ePHI) must be protected.

It outlines three main safeguards:

  • Administrative – Policies and procedures to manage the selection, development, and maintenance of security measures (i.e., employee training, risk assessments).
  • Physical – Controls to protect physical access to systems and facilities (i.e., locked file rooms, secure mail handling).
  • Technical – Technology solutions to protect and control access to ePHI (i.e., encryption, secure email platforms).

Even when you're mailing paper records, the Security Rule comes into play if the request originated from or is stored within an electronic system. That means ensuring your systems and processes are secure from start to finish.

HIPAA requirements for mailing medical records

When it comes to mailing medical records, HIPAA compliance is essential. Here’s a step-by-step guide to ensure you’re handling PHI the right way.

1. Get proper authorization first

Before sending out any medical records, confirm you have valid, written patient authorization. HIPAA requires this for most disclosures, especially when sending records directly to a patient or a third party at their request.

A valid authorization should include:

  • A specific description of the information being disclosed
  • The name of the recipient
  • An expiration date or event
  • The patient’s signature and date
  • A statement of the patient’s right to revoke authorization at any time

2. Verify the recipient’s identity and address

Accuracy matters. A misaddressed envelope could result in a serious HIPAA violation, like the time a New Jersey printing company inadvertently sent a patient statement to the wrong person, resulting in a $130,000 settlement. Yikes!

Before mailing out any sensitive patient data, be sure to:

  • Double-check the recipient’s full name and mailing address
  • Verify their identity using a government-issued ID or another secure method
  • If sending to a third party, confirm they are authorized to receive the information

For outgoing mail, VPM helps automate address verification, reducing the risk of PHI going to the wrong person and minimizing compliance errors.

3. Secure handling of PHI

When dealing with PHI, you should always take extra care. Here’s how to handle the physical mailing process securely:

  • Use sealed, opaque envelopes – Avoid windowed or see-through envelopes
  • Leave PHI off the exterior – Only include the recipient’s name and address
  • Include a return address from your organization
  • Use First-Class Mail or higher for faster delivery and tracking
  • Consider tamper-evident envelopes or signature confirmation for added protection
  • Restrict access – Only authorized staff should prepare and send PHI mail
  • Consider a digital mailroom – VPM offers HIPAA-compliant virtual mailbox services that allow you to send and receive PHI stress-free

Also, it’s a good idea to keep a mailing log that includes:

  • The date of mailing
  • Who the records were sent to
  • The type of records
  • The method of mailing (USPS, FedEx, etc.)
  • Tracking number (if available)

You should always maintain a copy of the patient’s request and authorization on file to reference if you’re ever audited.

4. Dispose of materials properly

After records are mailed, be sure to shred or securely destroy any leftover materials that contain PHI. This includes labels, cover sheets, and copies. The last thing you want is PHI getting into the wrong hands and causing a potential breach!

What happens if there’s a mailing breach?

Even with the best precautions, mistakes sometimes happen.

If a mailing error leads to a breach of PHI, you’ll need to follow HIPAA’s Breach Notification Rule, which includes the following measures:

  • Assessing the level of risk based on the sensitivity of the PHI and who received it
  • Notifying affected individuals
  • Reporting the breach to the Department of Health and Human Services (HHS)
  • Taking internal corrective actions, like retraining staff or tightening processes

Timely action can make a huge difference in reducing potential fallout and building back trust.

According to the U.S. Department of Health and Human Services (HHS) 2023 Breach Portal, over 35% of reported healthcare data breaches involved unauthorized access/disclosure, which includes mailing errors and lost physical documents.

The best way to prevent these breaches? Opting into a digital mailroom.

How a digital mailroom can help you protect PHI and stay compliant

Managing paper mail in a busy healthcare setting is time-consuming, error-prone, and risky when it comes to handling PHI. A digital mailroom can help streamline the process, reduce human error, and strengthen your organization’s compliance.

Here’s what it can offer you and your business:

  • Centralized, secure access – Digital mailrooms scan and digitize all incoming mail, ensuring PHI doesn’t sit unattended on a desk or get lost in the shuffle. Documents are stored on encrypted platforms and accessible only to authorized staff, reducing exposure and strengthening privacy protections.
  • Automated audit trails and easy documentation – Every piece of mail processed is time-stamped, tracked, and logged automatically. These built-in audit trails make it easy to demonstrate compliance during inspections or audits, and give you peace of mind knowing you’re meeting HIPAA standards.
  • Business Associate Agreements (BAAs) – HIPAA requires that third parties who handle PHI sign a BAA. Not all mailroom providers meet this standard, but VPM does. As a HIPAA-compliant service, VPM provides BAAs to legally commit to protecting your patients’ data so you stay compliant while outsourcing your mail
  • Less paperwork, less clutter – Digitized mail means no more overstuffed filing cabinets or misplaced documents. With a digital system, you can store, search, and share records easily while reducing the risks associated with physical copies of PHI.
  • Faster response to patient requests – When patient requests come in, time is of the essence. With a digital mailroom, physical mail is automatically routed to the right person or department, reducing the need for manual sorting and scanning. That means faster turnaround times and fewer delays in delivering records.
  • Reduced risk of lost or misdirected mail – Mailing errors are one of the most common causes of HIPAA breaches. A digital mailroom minimizes that risk by using automated routing and controlled digital access, helping prevent records from being lost, delayed, or sent to the wrong recipient.

By implementing a digital mailroom solution like VPM, you’re not just improving efficiency, you’re actively protecting patient privacy, supporting regulatory compliance (HIPAA, HITECH, and HITRUST), and simplifying your team’s workload. It’s a smarter, safer way to handle healthcare mail in today’s digital-centric world.

Frequently asked questions

Is mailing medical records an automatic HIPAA violation?

No. Mailing medical records is not a HIPAA violation, as long as you take the proper precautions. HIPAA doesn’t prohibit the use of traditional mail; it simply requires that appropriate safeguards are in place to protect the confidentiality of the information.

If you use a third-party mail handler, like a virtual mailbox service, that provider must also be HIPAA-compliant. That includes signing a Business Associate Agreement (BAA), which legally obligates them to safeguard PHI on your behalf.

What’s the safest way to track mailed records?

Use First-Class Mail with tracking or a courier service like FedEx or UPS. Tamper-evident envelopes and delivery confirmation are recommended for extra peace of mind.

Can you email medical records while maintaining HIPAA compliance?

You can, but it’s trickier. To email PHI, you need to use encryption and secure email platforms that meet HIPAA standards. You’ll also need patient authorization and a BAA in place with any third-party email service provider.

Does each state have its own HIPAA regulations?

Not exactly, but states can have their own health privacy laws that go beyond HIPAA.

HIPAA sets the federal baseline, but if a state law offers greater protection for patient information, that law takes precedence. For example, some states have stricter consent rules or shorter timeframes for responding to record requests.

The bottom line on mailing medical records

Mailing medical records might seem like a small task, but it comes with big responsibilities. By staying proactive, training your team, and documenting everything, you can confidently mail records containing PHI without putting your practice, or your patients, at risk.

With 79% of U.S. healthcare systems in the planning stages of a digital transformation, you don’t want to be left behind. If you’re looking for a HIPAA-compliant solution to help manage your mail more securely, VPM has you covered. VPM’s virtual mailbox service is designed with compliance in mind, offering healthcare organizations secure handling of sensitive documents and optional BAAs.