Healthcare & HIPAA - FAQs
Can healthcare providers use thanks.io?
Yes. Healthcare providers may use thanks.io for general marketing and advertising campaigns that do not involve Protected Health Information (PHI).
thanks.io is not a HIPAA-compliant platform and does not execute Business Associate Agreements (BAAs). Do not upload, store, or process PHI in thanks.io.
What types of mailings are acceptable?
Healthcare providers may use thanks.io for general marketing purposes, including:
- Announcing a new practice or office location
- Introducing a new provider
- "Now accepting new patients" campaigns
- Community event invitations
- Health fairs or educational seminars
- Seasonal wellness tips sent to the general public
- Flu shot or vaccination clinic announcements distributed broadly
- Mailings to purchased marketing lists
- Every Door Direct Mail (EDDM) or geographic marketing campaigns
- General branding and awareness campaigns
These campaigns should be directed to the general public or prospect lists and should not rely on patient medical information.
What should not be sent through thanks.io?
Because thanks.io is not HIPAA compliant, healthcare providers should not use the platform to process or mail communications that involve PHI.
Examples include:
- Patient lists exported from an Electronic Medical Record (EMR) or practice management system
- Appointment reminders
- Recall or reactivation postcards generated from patient records
- Messages related to diagnoses, treatments, prescriptions, or medical conditions
- Mailings targeted to patients based on medical history or healthcare services received
- Any mailing that requires a HIPAA Business Associate Agreement (BAA)
Why are patient lists different from general marketing lists?
Patient information maintained by a healthcare provider may be considered PHI under HIPAA. Uploading that information to a third-party service that is not HIPAA compliant may create compliance issues, even if the postcard itself does not disclose medical details.
For this reason, healthcare providers should only use thanks.io for marketing campaigns that do not require the use or disclosure of PHI.
Does thanks.io sign Business Associate Agreements (BAAs)?
No. thanks.io does not execute Business Associate Agreements and should not be used to process or store PHI.
Our policy
Healthcare Providers: thanks.io is not a HIPAA-compliant service and does not execute Business Associate Agreements (BAAs). Do not upload or process PHI through the platform.
The service may be used for general marketing campaigns directed to the public or prospect lists that do not contain PHI. Mailings based on patient records, diagnoses, treatments, appointments, or other protected health information should be handled through a HIPAA-compliant provider.