Sending Non-HIPAA Emails
Reliable email delivery is complex to configure and manage, and also involves the creation of special DNS records (DKIM, SPF). Email delivery services provide better uptime, tools, and reporting features than using a do-it-yourself approach with Sendmail or Postfix. In addition, AWS throttles common mail ports such as 25. The following list of providers have been reviewed and approved by Healthcare Blocks for non-HIPAA purposes. They offer trials and/or free usage tiers.
Sending HIPAA-Compliant Emails
Emails that contain protected health information (PHI) are subject to HIPAA requirements. Protecting the privacy of email messages can be achieved using TLS encryption, however, not every recipient may be using an email server that supports it. In addition, an audit trail needs to be maintained for sending and viewing of messages containing PHI, which is virtually impossible if your application sends emails to a broad base of email domains.
Typically, there are two ways to deliver emails in a HIPAA-compliant manner:
Using a Web Mail Strategy
The application sends emails that do not disclose any PHI in the subject and body and contain a link to a Web page that authenticates the user and displays the message over an HTTPS encrypted connection. Viewing the Web page should also generate a log entry as part of an audit trail.
Provisioning Mailboxes in a Managed Server
By running an email server (TLS-enabled) and provisioning email addresses under a single email domain, an organization can manage and monitor the entire sender-to-recipient email pathway. Users configure their email clients to receive TLS-encrypted messages. It is assumed the server is configured to log the delivery and viewing of messages at a level that is detailed to satisfy audit trail requirements.
Between the two options outlined above, the first one is easier to implement and manage. For both scenarios, it is possible to outsource to a vendor specializing in HIPAA compliant email delivery. Healthcare Blocks has not formally reviewed any vendor in this area and cannot provide any recommendations.