From your query, I understand that you are looking to send an email containing PII and you wish to adhere to the NHS data standards while data is in transit still maintaining encryption standards and also looking to confirm the set up necessary, if both AWS architecture and any 3rd party integrations could be used.
Please do correct me if I misunderstood your query.
This is very feasible with the AWS architecture and 3rd party with Microsoft Outlook, with Amazon Work Mail you can managed business email securely. Amazon Work Mail can also be integrated with Microsoft Outlook and also support native iOS and Android email applications. You can use S/MIME (Secure/Multipurpose Internet Mail Extensions) to enable users to send signed or encrypted email both inside and outside of your organization, controlling both the keys that encrypt your data and the location in which your data is stored.
That been said, you can also increase your posture while adhere to NHS standards with the use of an IPsec VPN and a Direct Connect link to a VPC. The IPsec is a protocol suite for securing IP communications by authenticating and encrypting each IP packet of a data stream between the sender and receiver, with the use of an Amazon VPC you can configure an IPsec VPN connection to your own VPC. Establishing an internet key exchange (IKE) security association between your Amazon VPC,VPN gateway, and another network gateway using a pre-shared key as the authenticator.
Lastly, you can also configure an AWS Direct Connect (DX) which is a direct logical connection between the customer’s environment to the end users system. This create an entirely private link eliminating the risk of data in transit being intercepted by threat actors.
I hope you found the above information helpful
References: Amazon WorkMail - Enabling signed or encrypted email https://docs.aws.amazon.com/workmail/latest/adminguide/enable_encryption.html
 Configure Certificate Autoenrollment https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731522(v=ws.11)?redirectedfrom=MSDN
 AWS Site-to-Site VPN https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html#vpn-prerequisites
 How do I establish an AWS VPN over an AWS Direct Connect connection https://aws.amazon.com/premiumsupport/knowledge-center/create-vpn-direct-connect/
Transit Gateway data encryptionAccepted Answerasked 5 months ago
What NHS security standards can be applied to data in transit?asked 16 days ago
Specification of email address characters that can be specified in SESasked 7 months ago
Can you add custom Security Stadards or edit existing Standards?asked 2 years ago
Nitro instances-built in encryption in transitAccepted Answerasked 3 years ago
DataSync with EFS Source fails when policy requires encryption in transit.Accepted Answerasked 3 months ago
Enable security standardsasked 19 days ago
Transit Gateway to Direct Connect Gateway to Transit GatewayAccepted Answerasked 2 years ago
End-to-end encryption (to be or not to be)asked 5 days ago
Transit Gateway to AWS Instance Encryptionasked 6 months ago