If you are evaluating alternatives to Amazon Simple Email Service (SES) for sending protected health information (PHI), the first filter is whether the provider will sign a business associate agreement (BAA). Many popular transactional email services will not. The second filter, the one that actually protects patient data, is whether the platform enforces encryption on every message rather than attempting it and sending regardless. That second test is where most options fall short, including SES itself.
Why a BAA is the first filter, and why most transactional services fail it
Under HIPAA, any vendor that processes PHI on your behalf must sign a BAA. For transactional email, that requirement eliminates a large share of the market immediately. SendGrid, Mailgun, and Postmark do not sign a business associate agreement, which means they are not an option for PHI no matter how strong their deliverability is.
Amazon SES clears this first filter. AWS signs a BAA and lists SES among its HIPAA-eligible services. So do a handful of others. The BAA narrows the field, but it does not tell you how any of them handle encryption on the wire.
A BAA alone is not enough: what to require beyond the contract
A BAA is a legal document. It assigns responsibility for PHI. It says nothing about whether a given message left over a modern, verified connection.
Paubox tested what SES actually does and published the results in How Amazon SES puts PHI at risk. Across 14 controlled tests, SES delivered PHI in plaintext when the receiver offered no encryption, over Transport Layer Security (TLS) 1.0 and 1.1, the versions the Internet Engineering Task Force retired in 2021, and to servers presenting invalid certificates. Its "Require TLS" setting closed one of those four failure modes.
A BAA-covered service that behaves this way still puts PHI on the open internet under weak or no encryption. The contract is in place, but the protection is not.
The stakes are not theoretical. Paubox's 2026 Healthcare Email Security Report counted 170 email-related breaches reported to HHS in 2025, most tracing to a sender that did not require encryption meeting a receiver that had not kept its mail server current. Choosing a platform that downgrades quietly is choosing into that pattern.
What to look for in a HIPAA compliant transactional email platform
Once a provider clears the BAA filter, evaluate the sending path itself against four questions.
- Does it enforce a minimum TLS version? The federal benchmark, NIST SP 800-52 Revision 2, is TLS 1.2 or higher. A platform that drops to TLS 1.0 or 1.1 does not meet it.
- Does it validate the receiving server's certificate? Encryption to an unverified server can be encryption to an impostor.
- What happens when the receiver cannot meet the standard? A platform built for PHI refuses to downgrade. It routes the message somewhere secure instead of sending it anyway.
- Is the BAA actually offered, in writing? If a provider cannot produce one, the evaluation stops there.
These questions matter because the HIPAA Security Rule is tightening. The rule HHS proposed in December 2024 moves encryption in transit from "addressable" to required, with May 2026 targeted to finalize the change. A best-effort sending path will not satisfy a hard requirement.
How Paubox approaches transactional email
Paubox built its HIPAA compliant email API around the hard-requirement model those four questions describe. It checks the receiving server before sending. If the receiver supports TLS 1.2 or higher with a valid certificate, the message is delivered over that connection. If it does not, the message routes to a patented Secure Message Center rather than crossing the public internet under weak encryption.
The practical difference is what happens on a bad connection. A best-effort service sends anyway and reports success. A hard-requirement platform treats encryption as a precondition for sending PHI, not a property it hopes the network supplies.
For teams already on SES, switching is not the only path. The same four questions can be used to harden an existing setup or to brief a vendor. The point is not the brand on the platform but whether the sending path refuses to downgrade. A service that will send PHI in plaintext or to an unverified server when the connection degrades is the risk, whoever operates it.
Frequently asked questions
Are SendGrid, Mailgun, or Postmark HIPAA compliant?
No. None of the three sign a business associate agreement, so they cannot be used to send PHI regardless of their other features.
Is Amazon SES a good HIPAA compliant option?
SES is HIPAA eligible under an AWS BAA, but Paubox testing found it delivers PHI in plaintext, over retired TLS, and to unverified servers. A BAA-eligible service still has to be evaluated on how it actually encrypts.
What makes an email platform HIPAA compliant for PHI?
A signed BAA, plus a sending path that enforces a modern TLS floor, validates certificates, and has a secure fallback when a receiver cannot meet the standard.
