Email and Messaging Under HIPAA: Using AWS SES and SNS for Secure Communication

Small healthcare practices frequently rely on email and messaging services to communicate with patients, insurers, and business partners. Under the HIPAA Security Rule, specifically 45 CFR 164.308 (Administrative Safeguards) and 45 CFR 164.312 (Technical Safeguards), covered entities must secure electronic Protected Health Information (ePHI) transmitted through these channels. Amazon Web Services (AWS) offers Simple Email Service (SES) and Simple Notification Service (SNS) that can be configured for HIPAA compliance when paired with proper administrative and technical safeguards. For small practices with limited IT resources, SES and SNS provide scalable, affordable ways to meet HIPAA’s security standards, prevent breaches, and maintain patient trust.

Email and messaging remain essential for healthcare operations, from appointment reminders to billing notifications. Yet, these communication methods present high compliance risks if not properly secured. The HIPAA Security Rule requires administrative, technical, and physical safeguards for all forms of ePHI transmission. Small practices often lack the resources to build complex systems in-house, making AWS SES and SNS attractive alternatives. These services allow practices to send and receive encrypted, auditable messages that can meet HIPAA standards, provided the practice executes a Business Associate Agreement (BAA) with AWS and implements proper controls. For daily operations, this means reliable patient communication that is compliant, efficient, and secure.

Understanding Email and Messaging Compliance Under 45 CFR 164.308 and 164.312

The Security Rule outlines specific safeguards relevant to email and messaging:

• Administrative Safeguards (164.308): Requires a risk analysis (164.308(a)(1)(ii)(A)), workforce training (164.308(a)(5)), and contingency planning (164.308(a)(7)). SES and SNS help address these requirements by offering secure configurations and message logging that support risk management documentation.

• Technical Safeguards (164.312): Requires access controls (164.312(a)), audit controls (164.312(b)), integrity protections (164.312(c)), and transmission security (164.312(e)). SES supports encryption in transit, while SNS ensures message delivery integrity and audit logging.

Understanding how these safeguards apply ensures that small practices configure AWS SES and SNS in a way that reduces compliance risks. Without this alignment, OCR will consider communications involving ePHI to be unsecured and noncompliant.

The Office for Civil Rights (OCR) enforces HIPAA’s Security Rule and has authority to investigate violations involving email and messaging. OCR enforcement may be triggered by:

• Patient complaints about unsecured email communication.

• Breach reports caused by sending PHI through unencrypted email or unsecured messaging platforms.

• Random audits reviewing whether practices configured email systems with encryption, audit logs, and BAAs in place.

OCR has issued settlements against small practices for sending PHI via unencrypted email, citing violations of both administrative and technical safeguards. Practices that use SES and SNS without enabling encryption or configuring proper access controls remain liable under 45 CFR 164.308 and 164.312.

Step 1: Sign a Business Associate Agreement with AWS

• AWS offers HIPAA-eligible services, including SES and SNS, under a BAA.

• Without a BAA, using these services for PHI is automatically noncompliant.

Step 2: Conduct a Risk Analysis

• Identify risks associated with email and messaging workflows (164.308(a)(1)(ii)(A)).

• Document vulnerabilities such as unencrypted messages or unauthorized device access.

Step 3: Configure AWS SES for HIPAA Compliance

• Enable TLS encryption for all outbound and inbound messages (45 CFR 164.312(e)(2)(ii)).

• Require identity verification and access controls for email users (45 CFR 164.312(a)(1); 164.312(d)).”

• Use CloudWatch logs to track all message activity (164.312(b)).

Step 4: Configure AWS SNS for HIPAA Compliance

• Encrypt messages in transit and at rest.

• Restrict topics and subscriptions to authorized users only.

• Document SNS access logs as part of audit control requirements (45 CFR 164.312(b) – Audit Controls).

Step 5: Train Staff

• Train employees on proper use of SES and SNS for PHI communications.

• Conduct simulations of email and messaging incidents (164.308(a)(5)).

Step 6: Maintain Policies and Contingency Plans

• Document policies for secure email and messaging under HIPAA.

• Ensure backup procedures for communications in case of service outages (45 CFR 164.308(a)(7)(ii)(A) – Data Backup Plan; 164.308(a)(7)(ii)(B) – Disaster Recovery Plan).

Case Study

A small behavioral health clinic regularly emailed patient progress notes using a consumer-grade email service without encryption. A misdirected email exposed sensitive PHI, and OCR launched an investigation. The clinic lacked a BAA with its email vendor and had not documented a risk analysis. OCR imposed a $90,000 fine and required the clinic to adopt secure messaging systems and annual HIPAA training.

In contrast, another clinic implemented AWS SES and SNS under a signed BAA. They enabled TLS encryption, configured audit logs, and restricted access using IAM roles. When a staff member attempted to send PHI through an unauthorized channel, the compliance officer detected it through SES logs and corrected the issue before PHI was compromised. OCR reviewed the clinic’s response and found no violation, recognizing the safeguards in place as compliant with 45 CFR 164.308 and 164.312.

• Not signing a BAA with AWS: Using SES/SNS without a BAA makes all communications noncompliant.

• Failing to enable encryption: Unencrypted email transmission violates transmission security requirements.

• Ignoring audit logs: Without log reviews, unauthorized PHI disclosures may go undetected.

• Allowing unrestricted staff access: Overly broad permissions increase PHI exposure risks.

• Lack of training: Untrained staff may inadvertently send PHI through unsecured channels.

Avoiding these pitfalls ensures that practices demonstrate HIPAA diligence and minimize OCR penalties.

Best Practices for AWS SES and SNS Compliance

• Enable mandatory TLS encryption for all messages

• Limit PHI transmission to verified domains and users.

• Integrate audit logs into HIPAA compliance documentation.

• Automate alerts for failed encryption or unauthorized access attempts.

• Review OCR breach cases annually to update internal procedures.

These best practices are cost-effective and allow small practices to securely manage communications without complex infrastructure.

Compliance requires cultural integration, not just technical solutions. Small practices should:

• Incorporate email and messaging safeguards into staff training.

• Establish written communication policies covering SES and SNS use.

• Assign compliance leadership to review logs and oversee breach responses.

• Encourage transparency by allowing staff to report potential communication risks.

By embedding secure communication practices into culture, small practices ensure HIPAA compliance is a daily routine.

Email and messaging are vital for healthcare operations, but they are also high-risk areas under HIPAA. Using AWS SES and SNS with a signed BAA, proper configurations, and documented safeguards allows small practices to meet requirements under 45 CFR 164.308 and 164.312. Compliance requires proactive planning, ongoing staff training, and regular monitoring.

Advisers

Small practices should consider:

• HHS Security Risk Assessment Tool: Free resource for conducting HIPAA-required risk analyses.

• OCR HIPAA Security ule Guidance: Official interpretations of administrative and technical safeguards.

• AWS Artifact Compliance Reports: Free documentation portal showing AWS compliance practices.

• Affordable compliance platforms such as HIPAA One or Compliancy Group: Provide structured risk assessment, training, and monitoring workflows.

By leveraging these tools, small practices can securely use AWS SES and SNS for HIPAA-compliant communication while keeping costs manageable.

To further strengthen your compliance posture, consider using a compliance regulatory tool. These platforms help track and manage requirements, provide ongoing risk assessments, and keep you audit-ready by identifying vulnerabilities before they become liabilities, demonstrating a proactive approach to regulators, payers, and patients alike.

• U.S. Department of Health and Human Services – HIPAA for Professionals

• 45 CFR 164.308 – Administrative Safeguards

• 45 CFR 164.312 – Technical Safeguards

• OCR – HIPAA Security Rule Guidance

• OCR – Enforcement Examples