Is Amazon SES HIPAA compliant?

Featured image

Share this article

Is Amazon SES HIPAA Compliant? - Paubox

Updated August 2021

We’ve been getting asked by customers and prospects about Amazon SES and their ability to use it in a HIPAA compliant manner.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

Today, we will determine if Amazon SES can send HIPAA compliant email or not.

SEE ALSO: HIPAA breaches and cloud providers

About Amazon SES

Amazon Simple Email Service (SES) is a cloud-based email sending service designed to help digital marketers and application developers send marketing, notification and transactional emails. It was originally designed by Amazon.com to serve its own customer base.

SEE ALSO: Is Amazon Web Services (AWS) HIPAA compliant?

Amazon SES and the business associate agreement

A business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.

As covered in a prior post, Amazon Web Services (AWS) does offer HIPAA compliant services.

It should be noted however, AWS does not offer HIPAA compliance for all of its cloud services.

For example, we found a an AWS whitepaper called Architecting for HIPAA Security and Compliance on Amazon Web Services.

Within that document, it states:


Customers who execute an AWS BAA may use any AWS service in an account designated as a HIPAA Account, but they may only process, store and transmit PHI using the HIPAA-eligible services defined in the AWS BAA. For a complete list of these services, see the HIPAA Eligible Services Reference page.


In July 2019, Amazon announced that Amazon SES joined the list of HIPPA eligible services. Therefore if you have a BAA in place with AWS, you can now use Amazon SES to send HIPAA compliant email.

However, that’s not the whole story.

Using Amazon SES in a HIPAA compliant manner

Amazon published a whitepaper titled Architecting for HIPAA Security and Compliance on Amazon Web Service to help its healthcare customers use its products.

The platform offers various ways to satisfy encryption requirements for PHI. Amazon SES “supports both S/MIME and PGP protocols to encrypt messages for full end-to-end encryption, and all communication with Amazon SES is secured using SSL (TLS 1.2).”

However, this news isn’t as good as you might think.  We’ve covered the concerns over S/MIME and PGP protocols in other blog posts.  But that’s not actually the biggest problem.

SEE ALSO: PGP and S/MIME aren’t as secure as you think

By default, Amazon SES will attempt to make a secure connection to the receiving email server, but if a secure connection cannot be established, it will send the message unencrypted.

You can configure the system to require a secure connection, however.  But if you do, messages to your patients whose email addresses do not support encryption will not be delivered.

As explained in Amazon SES and security protocols:


Amazon SES only sends the message to the receiving email server if it can establish a secure connection. If Amazon SES can’t make a secure connection to the receiving email server, it drops the message.


This is in contrast to Paubox Email API, which leverages our patented technology to deliver messages to all email recipients in a HIPAA compliant manner, regardless if their email address is encrypted or not.

SEE ALSO: What happens when a Paubox email recipient doesn’t support encryption?

Does Amazon SES offer HIPAA compliant email service?

Amazon SES is covered under AWS’s BAA, and healthcare providers can configure it to require email encryption before delivering an email.  However, this means that your patients that do not use an encrypted email address will not receive your emails.

According to Google, about 10% of inbound email is not encrypted, so this represents a significant number of people not receiving messages that are vital to their health.

Conclusion

Amazon SES can be a HIPAA compliant email solution, but it will not deliver all of your messages.

For a better solution, try the HITRUST CSF certified Paubox Email API, which maintains HIPAA compliance while delivering all messages regardless of whether or not a recipient supports encryption.

See also: Why healthcare businesses choose Paubox Email API

Try Paubox Email API for FREE today.
Author Photo

About the author

Hoala Greevy

Founder of Paubox. Kayak fishing when I can. Native Hawaiian CEO.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022