Is Lob HIPAA compliant? (2026 update)

Lob is a direct mail automation platform that helps organizations create, route, print, and deliver physical mail at scale through APIs, dashboards, and its print delivery network.

With Lob, companies can automate transactional and marketing mail, verify addresses, track production and delivery, and manage complex direct mail workflows from campaign to mailbox.

Is Lob HIPAA compliant? Yes, based on Lob’s public statements, Lob can be HIPAA compliant for supported healthcare direct mail use cases.

What changed this year?

As of March 2026, our review did not identify any publicly disclosed change showing that Lob stopped offering HIPAA-related support or BAA availability. Lob’s 2026 healthcare materials still present healthcare direct mail as a compliance-focused use case, and Lob’s security materials still list BAA support for organizations handling PHI.

Will Lob sign a business associate agreement (BAA)?

Yes, Lob will sign a business associate agreement. Lob’s public security page lists “Business Associate Agreements (BAA)” under its HIPAA support materials, and Lob separately states that “Lob signs BAAs with healthcare clients.”

What does the Lob BAA cover?

Lob does not appear to publish the full public text of its BAA on the pages reviewed, so the exact contractual language is not fully available for line-by-line analysis. Publicly, Lob describes its HIPAA support in operational terms rather than by posting the full BAA itself.

Lob’s security page says that if an organization handles PHI, Lob provides “Business Associate Agreements (BAA),” “HIPAA/HITECH privacy audits,” and “Dedicated printing facilities.” Lob also says it combines “industry-standard processes with vetted facilities” for the secure handling of sensitive information.

A separate Lob healthcare compliance post adds that “Lob signs BAAs with healthcare clients, encrypts data, and uses a secure Print Delivery Network to ensure PHI protection from upload to delivery.”

What does the Lob BAA exclude?

Lob does not appear to publicly post detailed BAA exclusions on the pages reviewed. Because of that, the article should not claim specific exclusions unless you have the actual signed BAA or a gated trust-center document.

Lob’s terms define the Lob Services as printing, mailing, address verification, check-writing, APIs, and related services, and Lob’s healthcare materials frame HIPAA support around healthcare direct mail workflows.

That means any HIPAA analysis should be limited to the Lob services actually covered by the signed agreement.

Conclusion

Lob can be HIPAA compliant, but only in the right setup. Lob publicly says it supports HIPAA, offers BAAs, and provides healthcare-oriented safeguards, which means it may be suitable for HIPAA-regulated direct mail workflows.

Learn more: HIPAA Compliant Email: The Definitive Guide

FAQS

What is a business associate agreement?

A BAA is a legally binding contract establishing a relationship between a covered entity under HIPAA and its business associates. The purpose of this agreement is to ensure the proper protection of PHI as required by HIPAA regulations.

What is HIPAA?

HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.

Who does HIPAA apply to?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.