Question: Is the scheduling and sending reports by email feature HIPAA compliant?

I am specifically referencing the feature for emailing dashboards outlined here: Scheduling and sending reports by email - Amazon QuickSight

My expectation is that anything sending email would not be HIPAA compliant but I can’t find any mention one way or the other for quicksight.

If it is not HIPAA compliant, we would love to be able to disable this feature in our environment to limit the possibility of breaches give that quicksight is otherwise HIPAA compliant.

I don’t believe it is.

For more information you can look at this.

Specifically this.

Maybe semantic but what is ‘it’ in your above sentence? Is that quicksight or the email sending functionality in quicksight.

Quicksight is in the HIPAA eligible services - HIPAA Eligible Services Reference - Amazon Web Services (AWS)

In this case, the data would need to be encrypted in transit and at rest. My understanding is that is not possible with email.

I don’t believe the email sending functionality is.

QuickSight, I think, can be HIPPA compliant but is not natively.

I do not claim to be an expert in HIPPA compliance but it makes sense if a PDF / CSV file with sensitive customer data is shared in an email as an attachment that attachment could be distributed to other people with no traceability. It is for this reason at the time of scheduling options to disable file attachment and only send recipients a download link, additionally even the preview within the email body can also be suppressed [see image]. The download link ensures only those with access and permission are able to access the generated file, and if the access is revoked they can no longer access files. Since the download event happens within the system this information is also logged as an event for audit purposes. Hope that helps!

1 Like