Ask HN: HIPAA complaint email providers for small businesses? - kunle
======
ShakataGaNai
So that depends on how you define "HIPAA compliant". If you're thinking about
sending PHI via email - Don't. End of story.

HIPAA stipulates that you must both transmit and store PHI in an encrypted
fashion. If you force your emails to be sent via TLS (to consumers) it is very
likely a large percentage of your emails will never send (yes, gmail supports
TLS but other major providers done). You also cannot assure that the email is
stored in an encrypted fashion upon receipt. In fact you can safely bet on it
NOT being encrypted a fair amount of the time upon receipt because that takes
a lot of work to do truly end-to-end encryption (one of many reasons why HIPAA
is such a PITA).

So... How do you send emails in the world of health? You don't tell them
anything other than they need to visit your site to read the message. You'll
find many "secure email" providers and software (or build it yourself. The
emails you send via whatever 3rd party qualify for the conduit exception
because said 3rd party doesn't have access to the PHI.

None of the major providers like AWS SES, Sendgrid or Sparkpost will offer
BAA's because of the previously mentioned reasons. You can still use them,
just don't email PHI. Ever.

Now there is one major transnational email provider that I know of, that will
sign BAA's. (Their name rhymes with "run" but I'm not going further because
they are full of sh#t). Even with the BAA signed, if you read the fine print
it still says you can't send PHI via their service. So its completely
pointless.

