The US Postal Service is not a business associate under HIPAA because it does not access or use protected health information. Instead, it serves as a conduit for the transportation of physical mail, exempting it from the business associate designation.
Covered entities include healthcare providers, health plans, and healthcare clearinghouses. These organizations are directly responsible for the proper handling, use, and protection of PHI. On the other hand, business associates are entities or individuals who perform services for or on behalf of a covered entity that involve the use, disclosure, or management of PHI. Examples of business associates include cloud service providers, billing companies, legal consultants, and third-party administrators who have access to or handle PHI in the course of their work.
A business associate typically signs a business associate agreement (BAA) with the covered entity, agreeing to abide by the rules and responsibilities of HIPAA in their handling of PHI.
According to the HHS, “the Privacy Rule does not require a covered entity to enter into business associate contracts with organizations, such as the US Postal Service… that act[s] merely as conduits for protected health information.” The USPS transports and delivers various types of mail, including sensitive healthcare information. However, the nature of their service does not involve them accessing, using, or managing PHI in a manner that would make them a business associate.
The primary reason for this is that the USPS simply delivers physical mail. Even though it may transport envelopes or packages that contain PHI, such as medical bills, lab results, or insurance forms, it does not open or review the contents of these communications. HIPAA defines a business associate as an entity that handles PHI on behalf of a covered entity. Since the USPS does not engage in any activity that involves accessing or managing PHI, it is exempt from the business associate designation.
HIPAA includes a "conduit exception," which applies to entities that merely transport or transmit PHI but do not store it or access it in any meaningful way. The conduit exception protects organizations like the USPS and certain telecommunications providers (such as internet service providers) from the business associate designation. The exception is based on the fact that these organizations simply act as a conduit for the transfer of information without accessing or storing the data themselves.
While the USPS may be used for transporting sensitive information, healthcare organizations are increasingly turning to more secure and HIPAA compliant methods of PHI transmission. These include encrypted email services, secure file-sharing platforms, and other digital tools specifically designed to ensure that PHI is protected during transit and storage. Business associates providing these services, such as cloud storage companies or encrypted messaging providers, must sign BAAs and comply with HIPAA regulations.
Paubox offers a secure alternative to traditional mail services like USPS for transmitting PHI. With its HIPAA compliant email (Paubox Email Suite) and texting (Paubox Texting) solutions, Paubox ensures that sensitive health information is protected during transmission without requiring recipients to log into portals or take extra steps to access messages. By automatically encrypting all emails and text communications, Paubox simplifies the secure exchange of medical records, lab results, and other patient data, helping healthcare organizations maintain compliance with HIPAA while streamlining communication with patients and partners.
Related:
Like the USPS, delivery services such as FedEx and UPS fall under the conduit exception. They are not considered business associates because they only transport documents and do not access or manage the PHI contained within those documents.
While the USPS is not a business associate, there is still a risk of mail being lost or intercepted. To mitigate these risks, healthcare organizations should ensure that PHI is properly secured (e.g., by using sealed envelopes and avoiding unnecessary PHI exposure on labels).
Encryption ensures that PHI is protected during transmission, rendering the data unreadable to unauthorized users. This is a critical component of HIPAA compliance, particularly for electronic communications such as email and texting.