Important: HIPAApropriateness reviews, including their summaries, are for informational purposes only. They are neither consultation nor legal advice. Be aware that while we do our best to be thorough and complete, information may be missing or possibly even inaccurate. Products also change quickly, and the review may become out of date. By continuing to read, you agree to use the information in HIPAApropriateness reviews and their summaries at your own risk.

Vital Stats

HIPAA compliance with this product appears possible?: Yes.
Recommend for your HIPAA risk management needs?: Probably.
# of Caveats: 0 view caveats→
# of Usage Notes: 6 view notes→

Relevant Product Characteristics

  • This product is designed specifically with the healthcare industry in mind.

What Is This Product?

Earth Class Mail is a service that receives paper mail for its users, upon receipt the mail is “logged, organized, and stored securely by one of [Earth Class Mail’s] HIPAA certified technicians.”

When Earth Class Mail technicians process and organize your mail you will receive an email prompting you to log in to your Earth Class mail account via their web interface where you can then read your mail as a PDF document.

Within your Earth Class account, the user decides what actions to take for the mail they’ve received. Users can trash and recycle junk mail, deposit checks, download documents to save, or forward. Users can choose to store it, shred it or recycle it.

Earth Class Mail integrates with other apps such as: QuickBooks Online, Xero, Bill.com, DropBox, and Google Drive.

Caveats

Caveats are criticsms of the company or product that we feel are relevant to your risk management or other important considerations.

None

Notes

Notes cover points where the product can’t ensure compliance or ethical action for you. These help you know what your part of the compliance puzzle looks like when using this product. A high note count usually correlates with a feature-rich product, and not necessarily with a product that has problems.

1) Users must submit a USPS 1583 Form

The U.S. Postal Service requires all Commercial Mail Receiving Agents (CMRA) to collect a notarized USPS Form 1583 from customers to ensure you are who you say you are and that your mail is only being received by you. In doing so they require 2 forms of identification with that document.

What forms of verification are acceptable for the USPS 1583 form?

  • At least one ID must have a photo of the applicant.
  • At least one ID must verify the home address.
  • ID’s lacking both a photo and address are not acceptable for this requirement.

Acceptable ID’s:

  • Valid driver’s license or state non-driver’s identification card
  • Armed forces, government, or recognized corporate identification card
  • Passport, alien registration card or certificate of naturalization
  • Current lease, mortgage, or Deed of Trust
  • Voter or vehicle registration card
  • A home or vehicle insurance policy

Not acceptable ID’s:

  • Social security cards
  • Credit cards
  • Birth certificates

2) Users must provide their own Business Associate Agreement

Earth Class Mail will execute a customer provided BAA, but does not provide their own standard BAA. You might, at this point, be thinking “is that a cause for concern?” and “where do I get a BAA to provide them? Providing my own BAA sounds expensive.” First, we actually see it as a positive when a company will execute a BAA of the customer’s choosing/provision and don’t insist on their own. (That said, we do not see it as a negative when a company provides their own BAA. We just advise you, as with any legal agreement, thoroughly read it — like we do — to be aware of both your responsibilities under the agreement and any exclusions of what is covered/any potential loopholes for the company that is your business associate.) Second, HIPAACOW to the rescue! HIPAACOW is a volunteer organization in Wisconsin that produces utterly amazing, highly professional work that should by all rights cost us thousand of dollars. They give it out for free, though. So take advantage! One of the many items they offer is a sample Business Associate Agreement contract. Be sure to download the one that is updated for the 2013 HIPAA Omnibus Rule: HIPAACOW Security and Privacy Documents→

3) Be sure you are following simple security measures like using appropriate passwords and computer/device security

Be sure you are following simple security measures like using appropriate passwords and computer/device security. It’s important to make sure whatever device you’re using to access Earth Class Mail is secured against threats to privacy. Our HIPAA Investigation Repellent course covers smartphone security in detail. Our video on how to use the security features of your smartphone is also quite helpful.

4) Be sure you have policies and procedures in place that maintain availability of PHI

If you choose to “shred” or “recycle” a document that contains PHI, ensure you’re following your policies and procedures that govern data backup of electronic protected health information (ePHI) in order to be protecting and maintaining availability.

 

5) Have a BAA for each app you integrate

Assure you have a BAA with each app you choose to integrate with Earth Class Mail. i.e. if uploading a document to Google Drive, be sure it is to Google Drive under a G Suite account for which you have an executed BAA with Google in place.

6) Have a policy and procedure(s) in place that govern forwarding of the PDF mail documents received through Earth Class Mail

Have a policy and procedure in place that governs forwarding of the PDF mail documents. Do not download the document and then email the document to yourself, or any other recipient, using an email service provider with whom you do not have a BAA in place.

Depending on the sensitivity of the PHI in the document that you may be sending to yourself or another recipient, a BAA alone might not be sufficient for your risk management needs. (i.e. if you are sending a super bill or client record, you may need to utilize a “HIPAA secure” as opposed to a merely “HIPAA friendly” email service provider. For a description of the different types of email security, and how they fit within your risk management considerations, please see our article 3 Kinds of Email Security: How to Make an Informed and HIPAA-Aware Choice.)