Last updated: 13 January 2023
We've been getting asked by customers and prospects about Amazon SES and their ability to use it in a HIPAA compliant manner.
We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.
Today, we will revisit if Amazon SES can provide HIPAA compliant email or not.
SEE ALSO: HIPAA breaches and cloud providers
About Amazon SES
Amazon Simple Email Service (SES) is a cloud-based email sending service designed to help digital marketers and application developers send marketing, notification and transactional emails. It was originally designed by Amazon.com to serve its own customer base.
Amazon SES and the business associate agreement
As covered in a prior post, Amazon Web Services (AWS) does offer HIPAA compliant services.
It should be noted however, AWS does not offer HIPAA compliance for all of its cloud services.
For example, we found a an AWS whitepaper called Architecting for HIPAA Security and Compliance on Amazon Web Services.
Within that document, it states:
Customers who execute an AWS BAA may use any AWS service in an account designated as a HIPAA Account, but they may only process, store and transmit PHI using the HIPAA-eligible services defined in the AWS BAA. For a complete list of these services, see the HIPAA Eligible Services Reference page.
In July 2019, Amazon announced that Amazon SES joined the list of HIPPA eligible services.
Upon closer inspection however, there are concerns with using Amazon SES in a healthcare setting.
Using Amazon SES in a HIPAA compliant manner
Amazon published a whitepaper titled Architecting for HIPAA Security and Compliance on Amazon Web Service to help its healthcare customers use its products.
The platform offers various ways to satisfy encryption requirements for PHI. Amazon SES "supports both S/MIME and PGP protocols to encrypt messages for full end-to-end encryption, and all communication with Amazon SES is secured using SSL (TLS 1.2)."
However, this news isn't as good as you might think. We've covered the concerns over S/MIME and PGP protocols in other blog posts. But that's not actually the biggest problem.
By default, Amazon SES will attempt to make a secure connection to the receiving email server, but if a secure connection cannot be established, it will send the message unencrypted.
You can configure the system to require a secure connection, however. But if you do, messages to your patients whose email addresses do not support encryption will not be delivered.
It's referenced here in Data protection in Amazon Simple Email Service:
"By default, Amazon SES uses opportunistic TLS. This means that Amazon SES always attempts to make a secure connection to the receiving mail server. If it can't establish a secure connection, it sends the message unencrypted. You can change this behavior so that Amazon SES sends the message to the receiving email server only if it can establish a secure connection."
This is in contrast to Paubox Email API, which leverages patented technology to deliver messages to all email recipients in a HIPAA compliant manner, regardless if their email address is encrypted or not.
Does Amazon SES offer HIPAA compliant email service?
Amazon SES is covered under the AWS BAA and healthcare providers can configure it to require email encryption before delivering an email. However, this means a double digit percentage of emails will be quietly deleted by Amazon SES.
Amazon SES is covered by the AWS BAA, which is a good sign.
However, using Amazon SES either means:
- A double digit percentage of emails will be sent unencrypted in transit, which is not a HIPAA best practice.
- Or, those same double digit percentage of emails will quietly be deleted by Amazon SES, should you configure it with stricter security settings.