[hn_throwaway_99]

> Also just as a side note, HIPAA is not a ideal standard to begin with for security. Many large companies exchange bulk PHI via gmail since it is HIPAA compliant.

You seem to imply using GMail is a bad thing? I think GMail, when appropriately configured to handle PHI, is probably a million times more secure than some crappy bespoke "enterprise" app.

[weezin]

It isn't that hard to setup a secure SFTP server to automate the exchange. But then again this is a post about configuring a S3 Bucket with public access for SSNs.

The issue with Gmail is sending to the wrong email, sending to a broad email list, having people download it to their local machines. And the amount of PHI being transmitted in these files is larger than this s3 bucket.

[potato3732842]

>It isn't that hard to setup a secure SFTP server to automate the exchange

When you've got a trickle of information coming and going from hundreds or thousands of other individuals working at tens or hundreds of other entities it is.

You'd eventually wind up developing the kind of ridiculous "secure messaging and file drop" type service that every megabank builds on top of their SFTP and ticketing systems for that purpose. That stuff ain't cheap to run and keep running.

Better to just start with a solution that's 99% there.