HIPAA compliance concerns stop many dental practices from using direct mail effectively. You want to send appointment reminders, recall postcards, and promotional campaigns, but you're not sure what's legally allowed on a postcard that anyone can read.
This guide answers the most common HIPAA questions about dental postcards with clear, practical guidance you can apply immediately. We've reviewed the actual regulations and HHS guidance to give you definitive answers rather than vague caution. For comprehensive compliance frameworks, see our HIPAA-compliant dental direct mail guide.
The short version: most dental direct mail is perfectly compliant. Appointment reminders, recall cards, and practice promotions are all permitted without patient authorization. The key is understanding which specific content elements require sealed envelopes instead of postcards.
The fundamental rule: what's visible versus what's private#
Postcards are visible to everyone who handles them—postal workers, household members, anyone who picks up the mail. HIPAA's Privacy Rule requires covered entities to implement reasonable safeguards to protect patient information from unnecessary disclosure.
This doesn't prohibit postcards. It requires you to limit postcard content to information that doesn't reveal sensitive health details beyond the basic fact that someone is a patient at a dental practice.
Allowed on postcards:
Patient name and mailing address
Your practice name, address, and phone number
Generic appointment information (date, time)
General recall messaging
Practice announcements and promotions
Holiday greetings
Requires sealed envelope:
Specific treatment details
References to conditions or diagnoses
Specialty care that reveals a health condition
Billing information
Any content the patient has requested be kept confidential
Frequently asked questions#
Can I send appointment reminder postcards?#
Yes. Appointment reminders are explicitly permitted under HIPAA as "treatment" communications that don't require patient authorization.
45 CFR 164.506 confirms that covered healthcare providers may use protected health information for treatment purposes without authorization. Appointment reminders fall squarely within treatment.
Your reminder postcard can include the patient's name, appointment date and time, your practice contact information, and a generic description of the visit. "We look forward to seeing you on Tuesday, March 15th at 2:00pm" is perfectly compliant.
Can a patient's name appear on a postcard?#
Yes. The patient's name and mailing address are necessary for delivery and are permitted on postcards.
The fact that someone receives mail from a dental practice does reveal they're a patient there, which is technically protected health information. However, this minimal disclosure is permitted for treatment communications like appointment reminders and recall notices.
Can "It's time for your cleaning" appear on a postcard?#
Generally yes. Routine dental cleanings are standard preventive care that don't reveal specific health conditions. This messaging is widely accepted as compliant.
Some practices prefer "It's time for your checkup" to be maximally conservative, but "cleaning" references to routine hygiene appointments are generally considered acceptable because they don't disclose any condition or specialized treatment.
What about "Time for your 6-month checkup"?#
Yes, this is fine. Six-month recall intervals are standard dental care recommendations. This messaging doesn't reveal any specific health information beyond the fact that someone is a dental patient who should return for routine care.
Can I mention specific treatments like "Invisalign" or "periodontal cleaning"?#
No—use a sealed envelope. References to specific treatments reveal information about the patient's health conditions or treatment history.
"Time for your Invisalign checkup" tells anyone reading the postcard that this person is undergoing orthodontic treatment. "Your periodontal maintenance appointment" reveals the patient has gum disease requiring specialized care.
These treatment-specific communications should be sent in sealed envelopes where the content isn't visible to others.
What about dental specialty references?#
Use caution—often requires sealed envelope. References to specialty care can reveal health conditions.
Examples requiring sealed envelopes:
"Your oral surgery follow-up is scheduled..."
"Time to schedule your endodontic appointment..."
"Dr. Smith in our periodontal department will see you..."
These references reveal the patient is receiving specialized care that indicates specific health conditions.
Can I send recall postcards to patients who haven't visited in a year?#
Yes. Recall communications to existing patients fall under "healthcare operations" and don't require patient authorization.
You have an established patient relationship, you're promoting your own services, and there's no third-party payment involved in the communication. This qualifies for the healthcare operations exception. For proven recall campaign strategies, see our dental recall postcards guide.
Keep messaging generic: "We haven't seen you in a while—it's time for your checkup" rather than "You're overdue for your periodontal maintenance."
Do I need patient consent to send recall postcards?#
No authorization is required for recall postcards sent to existing patients with generic messaging about routine care.
HIPAA distinguishes between "treatment" and "healthcare operations" communications (no authorization required) and "marketing" (authorization required). Recall postcards fall into healthcare operations.
The only exception: if a patient has specifically requested you not contact them or has opted out of marketing communications, honor that request.
Can I send promotional postcards about new services?#
Yes. Promoting your own services to existing patients is permitted under HIPAA.
The regulation at 45 CFR §164.501 excludes from the marketing definition any communication that "describes a health-related product or service that is provided by" your practice. Announcing that you now offer Invisalign, teeth whitening, or extended hours is not HIPAA-regulated marketing.
What makes something "marketing" under HIPAA?#
Third-party financial remuneration is the key trigger. If another company pays you to send communications promoting their products or services, that requires patient authorization.
If you're promoting your own services without third-party payment, it's not marketing under HIPAA.
Examples that ARE marketing (require authorization):
A dental product company pays you to promote their whitening system
A pharmaceutical company pays you to send information about their medication
You sell patient data to a third party for their marketing use
Examples that are NOT marketing (no authorization required):
Promoting teeth whitening services you provide
Announcing new Invisalign offerings at your practice
Sending practice newsletters about your services
Can I include before/after photos on postcards?#
Only with proper HIPAA authorization. Patient photographs are one of the 18 protected identifiers under HIPAA.
Using patient photos for marketing requires written authorization that includes:
Specific description of photos being used
Statement that use is for marketing purposes
List of where photos will appear
Expiration date
Revocation rights statement
Patient signature and date
Many practices avoid this complexity by using professional stock photography instead of patient photos.
What if a patient asks for confidential communications?#
You must honor reasonable requests. Under 45 CFR §164.522(b), patients can request that communications be sent to alternative addresses or in sealed envelopes.
If a patient has requested confidential communications, you must:
Send all mail to their preferred address
Use sealed envelopes if requested
Note the preference in their patient record
Apply the preference to all future communications
Do I need a Business Associate Agreement with my mail service?#
It depends on the service type.
No BAA required:
USPS (qualifies under the conduit exception)
FedEx, UPS, DHL (also conduit exception)
BAA required:
Print/mail services that receive your patient list
Fulfillment companies that store patient data
Marketing agencies managing patient databases
If your mail vendor receives, processes, or stores patient information beyond simple physical transport, they're a business associate and you need a BAA.
What about email versus postcards—are the rules different?#
The same principles apply, but email has additional security considerations.
Email content guidelines mirror postcard guidelines: generic appointment reminders are fine, treatment-specific details should be avoided or encrypted.
However, email transmission security is a separate HIPAA concern. Many practices use secure email systems or patient portals for communications that include any protected health information.
For pure appointment reminders with generic content, standard email to an address the patient has provided is generally acceptable, though secure messaging is preferable.
Quick reference: compliant versus non-compliant postcard content#
Compliant Postcard Messages:
✓ "Your appointment is scheduled for Tuesday, March 15th at 2:00pm"
✓ "It's time for your 6-month checkup!"
✓ "We haven't seen you in a while—we miss your smile!"
✓ "Don't forget to use your dental benefits before December 31st"
✓ "We now offer evening and weekend appointments"
✓ "Introducing our new teeth whitening services"
✓ "Happy holidays from everyone at Bright Smile Dental"
Non-Compliant Postcard Messages (Use Sealed Letter Instead):
✗ "Your periodontal maintenance appointment is scheduled for Tuesday"
✗ "Time for your Invisalign adjustment"
✗ "Your denture is ready for pickup"
✗ "Please schedule your post-extraction follow-up"
✗ "Your oral surgery consultation with Dr. Smith is confirmed"
✗ "Your night guard is ready"
✗ "Time for your sleep apnea appliance check"
Creating a compliant postcard workflow#
Before designing your postcard#
Classify the communication purpose: Is this a treatment reminder, healthcare operations message (recall, practice announcement), or marketing?
Review content for treatment specifics: Does any language reveal specific treatments, conditions, or specialty care?
Check for confidentiality requests: Have any recipients requested sealed communications?
Content review checklist#
Before approving any postcard for printing:
☐ No specific treatment references (Invisalign, periodontal, oral surgery, etc.)
☐ No condition-revealing language
☐ No billing or payment details
☐ No patient photos without authorization
☐ Generic appointment/recall messaging only
☐ Practice contact information included
☐ No patients with confidentiality requests on the mailing list
When in doubt, use an envelope#
If you're uncertain whether postcard content is compliant, default to sealed letters. The small additional cost is worthwhile compared to potential HIPAA concerns.
Sealed letters are required whenever:
Content references specific treatments
Messages could reveal health conditions
Patients have requested confidential communications
You're including billing or payment information
Common mistakes to avoid#
Mistake 1: Treatment-specific appointment reminders on postcards#
"Your root canal follow-up is Thursday at 10am" reveals treatment information. Use sealed letters for these reminders, or use generic messaging: "Your appointment with Dr. Smith is Thursday at 10am."
Mistake 2: Using patient photos without proper authorization#
Even a smiling patient photo on a promotional postcard requires HIPAA authorization if the patient is identifiable. Stock photography avoids this issue entirely.
Mistake 3: Ignoring confidentiality requests#
If a patient has requested alternative mailing addresses or sealed communications, apply those preferences to ALL mail—not just clinical communications.
Mistake 4: Assuming all mail services are conduits#
USPS and major couriers qualify as conduits, but print/mail vendors that process your patient data are business associates. Verify BAA status before sharing patient information.
Mistake 5: Including unnecessary health information#
Even when information could theoretically be included, apply the minimum necessary standard. Include only what's needed for the communication's purpose.
The bottom line#
HIPAA permits most dental direct mail without patient authorization. Appointment reminders, recall postcards, practice promotions, and patient communications are all allowed when you follow these principles:
Keep postcard content generic—no treatment specifics
Use sealed letters for treatment-specific or sensitive information
Honor patient requests for confidential communications
Secure proper authorizations for patient photos
Verify BAA status with vendors who access patient data
Don't let HIPAA uncertainty prevent effective patient communication. The regulations accommodate normal dental practice operations—they just require thoughtful implementation.
References#
U.S. Department of Health and Human Services HIPAA Privacy Rule: https://www.hhs.gov/hipaa/for-professionals/privacy/
HHS HIPAA FAQs: https://www.hhs.gov/hipaa/
This guide provides general information about HIPAA compliance for dental direct mail. It is not legal advice. Consult a qualified healthcare attorney for guidance specific to your practice's situation.
References#
HIPAA Privacy Rule, 45 CFR Part 164: https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164
HHS HIPAA FAQ - Appointment Reminders: https://www.hhs.gov/hipaa/for-professionals/faq/286/may-health-care-providers-use-protected-health-information/index.html
45 CFR § 164.506 - Uses and Disclosures for Treatment: https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.506
ADA - American Dental Association: https://www.ada.org/
Ready to send compliant dental postcards? Postmarkr makes direct mail simple—upload your design, configure your list, and send postcards starting at about $0.75-$1.25. Our platform uses HIPAA-compliant mail infrastructure for secure fulfillment.
[Send Your First Postcard →]