Potential issues with snail mail and postcards

Many patients, particularly older adults, low-income individuals, and those in rural areas, still lack reliable internet connections or confidence with technology. For these groups, physical mail remains the most practical way to communicate. Legal requirements also sustain its use. Some states and health systems still require paper documents or physical signatures for specific types of patient notices and consent forms. In many organizations, limited budgets, outdated workflows, and caution about replacing long-standing systems further slow the move toward digital communication.

Delivery takes days, creating delays in time-sensitive exchanges. Physical mail can be intercepted, opened, or misplaced. Postcards are especially problematic because the information they contain is visible to anyone who handles them, violating patient privacy standards set by HIPAA. Even sealed envelopes carry risks of theft, misdelivery, or improper disposal. Paper mail also lacks an audit trail, making it difficult to confirm delivery or trace information flow during a breach investigation.

Paper-based records and correspondence continue to be a leading source of protected health information (PHI) exposure. The Healthcare (Basel) report ‘Healthcare Data Breaches: Insights and Implications’ notes between 2010 and 2019, paper and film formats accounted for nearly 18 percent of healthcare data breaches. Many incidents involved stolen mail, improper disposal, or careless handling of documents. Physical mail offers few safeguards. As healthcare organizations modernize their operations, paper communication increasingly falls short of the privacy, efficiency, and security expectations that define 2025.

Why snail mail no longer works efficiently

Traditional mail depends on postal services that can take several days to deliver documents to patients or other healthcare providers. The delay slows the entire communication process, holding up appointment reminders, test results, medication instructions, and other time-sensitive information that may require quick action. These delays can directly affect patient care by postponing treatment or causing missed appointments. Even in less urgent situations, the lag creates unnecessary friction and slows down healthcare operations.

According to a peer reviewed research paper published in the Canadian Family Physician comparing postal and email survey methods, traditional mail response rates ranged from 41% to 82%, while email responses ranged from 24% to 73%, showing that physical mail may still be slower yet somewhat more reliable in terms of participation, though email provided quicker feedback and “more honest or less socially acceptable” responses.

Printing, packaging, and postage expenses, combined with the staff time needed to prepare and manage mailings, make physical mail far more expensive than electronic communication. The same study found that while email was less costly and had a faster return rate, the postal group achieved a 77% response rate compared to 56% via email. Digital systems can send secure messages instantly with minimal added cost. For healthcare organizations already operating under tight budgets, the money and labor spent on mailing could be redirected toward improving patient services or upgrading technology.

Traditional mail is also prone to errors. Incorrect addresses, lost or damaged mail, and delivery mistakes can prevent information from reaching patients or providers. These errors lead to repeated outreach, wasted resources, and frustration on both sides. Physical mail offers no reliable tracking or confirmation of delivery, making it difficult to verify whether information has been received or to investigate potential data breaches. As researchers observed, even among physicians, “Email respondents were more likely to provide written comments,” reflecting how digital tools improve speed and cost efficiency and promote richer, more complete communication.

Why traditional mail and postcards pose a risk to compliance

HIPAA doesn’t prohibit the use of traditional mail, but compliance depends on putting the right safeguards in place throughout the mailing process. However, using traditional mail or postcards often introduces compliance risks because of issues like interception, misdelivery, and lack of encryption, problems that are difficult to control completely. These vulnerabilities can lead to unauthorized disclosures and potential HIPAA violations.

As the study ‘Balancing confidentiality and care coordination: challenges in patient privacy’ on patient confidentiality and digital care coordination notes, “balancing the imperatives of confidentiality and efficient care coordination requires a nuanced approach to ensure ethical and legal compliance while optimising patient care.”

There is a requirement in states like California that certain healthcare notices, like initial privacy statements or specific patient communications, must be mailed to ensure that patients actually receive them. Other states have similar laws requiring paper delivery for communications tied to consent or privacy acknowledgment. These rules are often designed to guarantee documented proof of communication or to protect patients who may have limited access to digital platforms. While digital communication continues to grow, these state requires ensure that traditional mail still plays a small role in healthcare compliance.

Traditional mail and postcards, however, remain a weak link in privacy protection. Postcards are especially risky because any PHI printed on them is visible to anyone handling the mail. Even sealed letters can be intercepted or misdelivered during transit, exposing patient information. The manual steps involved in printing, sorting, and sending mail also increase the chance of simple human errors that can amount to reportable breaches under HIPAA.

What we can learn from the Michigan Medicine postcard breach

The Michigan Medicine postcard breach offers lessons on the risks associated with using traditional mail, especially postcards, in healthcare communications. In June 2025, Michigan Medicine, the University of Michigan's academic medical center, sent out research recruitment postcards to approximately 1,015 individuals without envelopes, exposing PHI on the postcards’ visible surfaces. 

This mailing without envelopes allowed anyone handling or viewing the postcards during transit or delivery to access sensitive patient information, thereby creating a privacy breach risk. Although Michigan Medicine assessed the risk of identity or medical theft as low, the incident underscores the inherent vulnerability of snail mail and postcards to unauthorized disclosure and breaches of confidentiality in healthcare settings.​

This breach was further compounded by an internal oversight where the University of Michigan’s Institutional Review Board (IRB), which oversees human subject research protection, mistakenly approved the use of postcards without adequate privacy safeguards. Following the incident, Michigan Medicine halted the postcard mailing immediately and began notifying affected individuals. The organization also pledged to review and strengthen its privacy safeguards to prevent future occurrences.​

See also: Michigan Medicine announces third breach in two years

The best alternative 

HIPAA compliant email far outperforms traditional mail and postcards as a secure communication method in healthcare. It uses strong encryption, such as Transport Layer Security (TLS) and secure portal pickup, to protect PHI both in transit and at rest. 

As the College of Physicians and Surgeons of Ontario warned, “e-mailing or faxing unencrypted patient health information is really no more secure than sending that information on a postcard,”. Even if intercepted, encrypted messages remain unreadable without the correct decryption keys, sharply reducing the risk of breaches. By contrast, postal mail, and especially postcards, exposes sensitive information to anyone handling it, making it vulnerable to loss, interception, or misdelivery.

Beyond encryption, HIPAA compliant email enforces strict access controls and authentication. Only authorized senders and recipients can view or handle protected data, minimizing exposure to internal and external threats. These systems also maintain detailed audit logs showing who accessed or changed PHI, supporting accountability, breach detection, and regulatory compliance, features that physical mail simply can’t provide.

From an operational standpoint, secure email is faster, more efficient, and easier to track. Messages arrive instantly, enabling timely updates, appointment reminders, and test result delivery. Digital communication also integrates with electronic health records and patient portals, reducing manual work, minimizing errors, and improving care coordination. In every respect security, compliance, and efficiency, HIPAA compliant email leaves traditional mail behind.

FAQs

Is traditional mail considered a secure communication method?

Not entirely. While it can be used legally, physical mail is inherently less secure than digital communication. Mail can be lost, stolen, misdelivered, or opened by unauthorized individuals.

What are the main risks of using traditional mail in healthcare?

The main risks include interception, loss, misdelivery, and the inability to track or verify delivery.

How do mail errors lead to HIPAA violations?

If a patient’s information is mailed to the wrong address or opened by someone else, it counts as an unauthorized disclosure of PHI.