I am facing some questions when trying to design an S3 application using ASP.NET MVC and trying to stay HIPAA compliant.

My initial plan was to require an SSL connection to my web server, encrypt the images on my server, then send them to s3 using my private keys.

Here's my obvious concerns:

1. You cannot store unencrypted images in any temporary file cache when client views images within the browser.
2. Even if I setup an ashx to generically handle the image in memory, couldn't this get stored in cache?

Saying the images will be encrpyted because you will be connecting to my server via https still does not guarantee all browsers will not cache data.

It's not possible to even consider the "Query String" with expiration option since data will be encrypted before being stored on disk at s3, and will again be decrypted at my server in memory.

I think my only option would be to write/purchase some sort of ActiveX component that will not expose the image as a simple html image source or write my app as a client side WinForm application.