If I use a virtual mailbox for my healthcare business how can I create a HIPAA-compliant account and get a BAA signed?

Remote Businesses
,
1

If I use a virtual mailbox for my healthcare business how can I create a HIPAA-compliant account and get a BAA signed?

There are a handful of virtual mailbox services that you can select from that offers services for your business to be HIPPA compliant.

On request, each virtual mailbox service will sign a business associate agreement (BAA) with your organization.

Here are a few options and you can reach out to them:

Provider HIPAA/BAA Status Security Certifications Why they are Recommended
Stable Yes (Custom plans) SOC 2 Type II Best for automation and AI. Great for high-volume practices that need to route mail automatically to different departments or Slack/Notion.
VirtualPostMail (VPM) Yes (Business+ plans) SOC 2 Type II Best for physical security control. Unlike most competitors, VPM owns and operates its own facilities rather than using third-party mail stores.
PostScan Mail Yes (Add-on fee) Varies by location Good for flexibility, but you must ensure you select one of their corporate-owned centers to maintain HIPAA integrity.

Additional resources of HIPAA compliant virtual mailboxes
Virtual mailbox security comparison
The healthcare buyer’s guide to choosing a HIPAA-compliant digital mailroom

2

The entire infrastructure is hosted on Amazon Web Services (AWS). AWS is also HIPAA compliant and will also sign a BAA with you if needed.

To ensure your account is compliant from day one, follow this workflow:

  • Vetting: Confirm the provider uses AES-256 encryption for digital storage and has SOC 2 Type II certification. This proves their physical and digital security audits are up to par.

  • The BAA Execution: Before you redirect a single piece of mail, contact their legal or sales department to request their standard BAA. Do not move forward until this is countersigned. This document shifts the legal burden of safeguarding that data onto them.

  • Restrict User Access: Within your account settings, ensure “Two-Factor Authentication” (2FA) is mandatory. Limit access to only necessary staff members (Principle of Least Privilege).

  • Physical Destruction Policy: Ensure your BAA or service agreement includes a Certified Shredding clause. You don’t want your physical PHI sitting in a trash can after it’s been scanned.

3

All VPM web application communications are encrypted over secure connection using 256 bit SSL encryption, which cannot be viewed by a third party and is the same level of encryption used by banks and financial institutions.

In addition, all physical mail is trashed in secure and locked trash bins. We have mobile shredding companies who shred all mail on-site.

Feature Requirement Why it matters
Data Residency Servers must be in the U.S. HIPAA regulations are specific to U.S. data sovereignty.
Audit Logs Must track who viewed which scan. Required for HIPAA “Access Control” standards.
Secure Disposal Cross-cut shredding. Prevents “dumpster diving” identity theft of patients.

You can see more security measures with VPM here.

4

VPM virtual mailboxes at all locations are also SOC 2 Type II Certified.

It guarantees the security of your data and the privacy of your clients. SOC 2 is an auditing protocol aimed at verifying that your service providers adeptly handle your data, safeguarding both your organization’s interests and the confidentiality of your clients.

Check out the resources:
DPA
Subprocessors

Checkpoint What to Ask the Provider Why it Matters
BAA Availability “Will you sign our BAA or provide your own executed by a company officer?” Without a signed BAA, they are not legally a Business Associate, and using them is a HIPAA violation.
Facility Chain of Custody “Do you own your processing facilities, or do you use third-party partner mail centers?” Many providers (like iPostal1) use thousands of local partners. For HIPAA, you want company-managed centers to ensure staff are vetted.
Data Encryption "Is data encrypted at rest (AES-256) and in transit (TLS 1.2+)? This is the technical standard for keeping scanned PHI unreadable to hackers.
Access Controls “Do you offer multi-factor authentication (MFA) and role-based access?” You must be able to restrict which of your employees can see sensitive scans.
Certified Disposal “What is your physical document destruction protocol?” Paper PHI must be destroyed via cross-cut shredding or a third-party HIPAA-compliant shredding service.