A question we hear a lot in the HIPAA industry is whether healthcare organizations can use Amazon Web Services and be HIPAA compliant. A related question is how Amazon Simple Email Service (SES), which offers a transactional email API, stacks up to Paubox Email API.
This post will compare and contrast Amazon SES and Paubox as it relates to HIPAA compliant email.
Amazon SES (Simple Email Service) is a cloud-based email service provided by Amazon Web Services (AWS) that allows developers to send and receive email using an AWS SDK or via a RESTful Web Service interface. It is designed to handle large volumes of email, making it a good choice for businesses and other organizations that need to send a lot of email. It also includes features such as bounce and complaint handling, and email tracking.
See related: Is Amazon Web Services (AWS) HIPAA compliant?
Paubox Email API
Paubox Email API is a cloud-based secure email delivery service that helps healthcare organizations improve patient journeys. Common use cases include delivering test results, personalized appointment reminders, automating e-consent forms, and managing clinical trial recruitment.
Paubox provides various methods to help healthcare organizations send secure emails, such as developer docs, client libraries (SDKs), and real-time analytics.
Paubox launched in 2015 and currently has over four thousand customers in all 50 states.
Is Amazon SES HIPAA compliant?
There’s a couple items to consider when it comes to Amazon SES and its ability to provide HIPAA compliant email.
First, let’s start with a quick recap of terms. The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of individuals’ personal health information, otherwise known as protected health information (PHI).
As we’ve previously discussed, HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
A business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.
We’ve written in the past about AWS and its stance on HIPAA compliance. In a nutshell, Amazon will sign a BAA with customers and that as of July 2019, it does include Amazon SES as being in scope.
However, it should be noted:
- By default, Amazon SES will attempt to make a secure connection to the receiving email server, but if a secure connection cannot be established, it will send the message unencrypted.
- You can configure Amazon SES to require a secure connection, however. But if you do, messages to your patients whose email addresses do not support encryption will not be delivered. They will be silently deleted.
It's referenced here in Data protection in Amazon Simple Email Service:
"By default, Amazon SES uses opportunistic TLS. This means that Amazon SES always attempts to make a secure connection to the receiving mail server. If it can't establish a secure connection, it sends the message unencrypted. You can change this behavior so that Amazon SES sends the message to the receiving email server only if it can establish a secure connection."
Is Paubox HIPAA compliant?
Paubox was built around the Paubox Foundations, three big ideas, and a mission to become the market leader for HIPAA compliant communication.
Paubox provides a BAA for all paid and freemium customers.
In addition, the following solutions are HITRUST CSF certified:
While an official HIPAA compliance certification does not exist, it’s widely acknowledged HITRUST CSF is the closest thing to it. In a nutshell, not only is Paubox HIPAA compliant, but its solutions are also HITRUST CSF certified.
When it comes to Paubox Email API, it was built using patented technology whereby if a secure connection cannot be established to the receiving mail server, Paubox automatically detects this and then converts the message (plus any attachments) to the Paubox Secure Message Center. The recipient then needs only a single extra click to secure access the message.
In other words, the email is not bounced, silently dropped, or sent unencrypted, as is the case with Amazon SES.
See also: U.S. Patent Office approves our approach to email encryption
Both Amazon SES and Paubox offer a transactional email API that alleviates the need for customers to fret about infrastructure and maintenance of in-house email systems.
Amazon SES however, is not well suited for U.S. healthcare. This is apparent from its its technical capabilities, as out of the box, its usage may expose customers to HIPAA violations by allowing unencrypted email to be sent.
Even when configured with extra encryption precautions, a double-digital percentage of email on the internet is still sent unencrypted in transit, and it's these types of emails that will silently deleted by Amazon SES.
Paubox on the other hand, was built from the ground up to provide secure, easy-to-use, HIPAA compliant email. This is apparent from its technical design (four patents and counting), HITRUST CSF certification since 2019, and inclusion of a business associate agreement for all customers (paid and freemium).