Hacker News new | comments | show | ask | jobs | submit login
Ask HN: HIPAA complaint email providers for small businesses?
1 point by kunle 8 months ago | hide | past | web | favorite | 1 comment

So that depends on how you define "HIPAA compliant". If you're thinking about sending PHI via email - Don't. End of story.

HIPAA stipulates that you must both transmit and store PHI in an encrypted fashion. If you force your emails to be sent via TLS (to consumers) it is very likely a large percentage of your emails will never send (yes, gmail supports TLS but other major providers done). You also cannot assure that the email is stored in an encrypted fashion upon receipt. In fact you can safely bet on it NOT being encrypted a fair amount of the time upon receipt because that takes a lot of work to do truly end-to-end encryption (one of many reasons why HIPAA is such a PITA).

So... How do you send emails in the world of health? You don't tell them anything other than they need to visit your site to read the message. You'll find many "secure email" providers and software (or build it yourself. The emails you send via whatever 3rd party qualify for the conduit exception because said 3rd party doesn't have access to the PHI.

None of the major providers like AWS SES, Sendgrid or Sparkpost will offer BAA's because of the previously mentioned reasons. You can still use them, just don't email PHI. Ever.

Now there is one major transnational email provider that I know of, that will sign BAA's. (Their name rhymes with "run" but I'm not going further because they are full of sh#t). Even with the BAA signed, if you read the fine print it still says you can't send PHI via their service. So its completely pointless.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact