Updated August 2021
We’ve been getting asked by customers and prospects about Amazon SES and their ability to use it in a HIPAA compliant manner.
We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.
Today, we will determine if Amazon SES can send HIPAA compliant email or not.
SEE ALSO: HIPAA breaches and cloud providers
About Amazon SES
Amazon Simple Email Service (SES) is a cloud-based email sending service designed to help digital marketers and application developers send marketing, notification and transactional emails. It was originally designed by Amazon.com to serve its own customer base.
Amazon SES and the business associate agreement
As covered in a prior post, Amazon Web Services (AWS) does offer HIPAA compliant services.
It should be noted however, AWS does not offer HIPAA compliance for all of its cloud services.
For example, we found a an AWS whitepaper called Architecting for HIPAA Security and Compliance on Amazon Web Services.
Within that document, it states:
Customers who execute an AWS BAA may use any AWS service in an account designated as a HIPAA Account, but they may only process, store and transmit PHI using the HIPAA-eligible services defined in the AWS BAA. For a complete list of these services, see the HIPAA Eligible Services Reference page.
In July 2019, Amazon announced that Amazon SES joined the list of HIPPA eligible services. Therefore if you have a BAA in place with AWS, you can now use Amazon SES to send HIPAA compliant email.
However, that’s not the whole story.
Using Amazon SES in a HIPAA compliant manner
Amazon published a whitepaper titled Architecting for HIPAA Security and Compliance on Amazon Web Service to help its healthcare customers use its products.
The platform offers various ways to satisfy encryption requirements for PHI. Amazon SES “supports both S/MIME and PGP protocols to encrypt messages for full end-to-end encryption, and all communication with Amazon SES is secured using SSL (TLS 1.2).”
However, this news isn’t as good as you might think. We’ve covered the concerns over S/MIME and PGP protocols in other blog posts. But that’s not actually the biggest problem.
By default, Amazon SES will attempt to make a secure connection to the receiving email server, but if a secure connection cannot be established, it will send the message unencrypted.
You can configure the system to require a secure connection, however. But if you do, messages to your patients whose email addresses do not support encryption will not be delivered.
As explained in Amazon SES and security protocols:
Amazon SES only sends the message to the receiving email server if it can establish a secure connection. If Amazon SES can’t make a secure connection to the receiving email server, it drops the message.
This is in contrast to Paubox Email API, which leverages our patented technology to deliver messages to all email recipients in a HIPAA compliant manner, regardless if their email address is encrypted or not.
Does Amazon SES offer HIPAA compliant email service?
Amazon SES is covered under AWS’s BAA, and healthcare providers can configure it to require email encryption before delivering an email. However, this means that your patients that do not use an encrypted email address will not receive your emails.
According to Google, about 10% of inbound email is not encrypted, so this represents a significant number of people not receiving messages that are vital to their health.
Amazon SES can be a HIPAA compliant email solution, but it will not deliver all of your messages.
For a better solution, try the HITRUST CSF certified Paubox Email API, which maintains HIPAA compliance while delivering all messages regardless of whether or not a recipient supports encryption.