[Last Updated: November 2023]
Adobe continues to innovate and adapt to meet the needs of our customers in the healthcare industry to serve their specific privacy and security needs.
Health Insurance Portability and Accountability Act
The Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) provides for the U.S. Department of Health and Human Services to promulgate standards governing the privacy and security of certain individually identifiable health information. HIPAA was most significantly amended by the Health Information Technology Act for Economic and Clinical Health Act of 2009 (the “HITECH Act”), which added breach notification requirements and expanded the scope of who is governed by HIPAA. The HIPAA Privacy, Security, and Breach Notification Rules establish important protections for individually identifiable health information called protected health information or “PHI” when created, received, maintained, or transmitted by a HIPAA covered entity or business associate. A “Covered Entity” is a health care provider, health plan, or a health care clearinghouse. A “Business Associate” is an entity or person, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a Covered Entity that involves creating, receiving, maintaining, or transmitting PHI.
The HIPAA Privacy and Security Rules require that a Covered Entity obtain written assurances from a Business Associate in the form of a Business Associate Agreement, or BAA, requiring the Business Associate to safeguard the privacy and security of the Covered Entity’s PHI.
Providing PHI to Adobe
Adobe provides health care customers with services that are ready to accept PHI, referring to these services as HIPAA-Ready Services. These HIPAA-Ready Services have additional features and functionalities that allow for both customers, who are Covered Entities or Business Associates, and Adobe to comply with their respective HIPAA obligations. These additional features may increase your license or subscription costs.
Customers that license HIPAA-Ready Services to process PHI must have a BAA with Adobe that applies to those HIPAA-Ready Services. A customer may provide PHI only with a HIPAA-Ready Service, in accordance with the license agreement and BAA between Adobe and the customer. Customers are not permitted to create, receive, maintain, or transmit PHI through Adobe Products and Services that are not HIPAA-Ready Services because Adobe has not designed these services to support the customer and Adobe’s HIPAA compliance.
The current list of HIPAA-Ready Services include:
- Adobe Experience Manager (AEM) Managed Services
- Adobe Experience Manager (AEM) as a Cloud Service
- Adobe Customer Journey Analytics (CJA)*
- Adobe Journey Optimizer (AJO)
- Adobe Real-Time Customer Data Platform (RTCDP) B2P (Consumer Audiences) Prime and Ultimate Editions**
- Adobe Real-Time Customer Data Platform (RTCDP) B2C Prime and Ultimate Editions**
- Adobe Acrobat Sign Solutions for enterprise and business
- Adobe Connect Managed Services
- Marketo Engage
- Workfront
- Adobe Commerce on Cloud
- Adobe Commerce on Managed Services
More information about how Adobe Experience Cloud solutions can be used in healthcare business scenarios can be found in our white paper, Adobe Experience Cloud for Healthcare Solutions Overview, on the Adobe Trust Center.
HIPAA Shared Responsibilities
Adobe’s HIPAA-Ready Services rely on a shared responsibility security model, requiring the customer and Adobe to each bear distinct responsibilities for maintaining the security of PHI. Under this shared security model, Adobe relies on the customer to implement certain configurations that are under the customer’s control in order for Adobe to comply with HIPAA Security Rule requirements. Adobe also provides configuration recommendations to assist customers in satisfying their own HIPAA compliance obligations when using the HIPAA-Ready Services.
Shared Responsibility Security Model
The following describes how Adobe has addressed certain key standards of the HIPAA Security Rule with respect to electronic protected health information (“ePHI”) and includes some recommendations to assist customers with their HIPAA compliance.
*CJA Labs is not a HIPAA-Ready CJA Service. For more information please see here.
**Excluding Event Forwarding. Event Forwarding is not a HIPAA-Ready RTCDP feature.
|
Standards |
Technical Safeguards |
|
Access Control |
Adobe has implemented policies, procedures, and technical controls to assign unique identifiers to each Adobe user (including preventing identifier reuse), to only allow authorized Adobe users access to ePHI, to terminate user access to ePHI when no longer necessary, and the ability to release or disclose ePHI during an emergency. Adobe also provides customers with the tools to control which of their users have access to ePHI. |
|
Encryption & Decryption |
Adobe provides for encrypting ePHI transmitted over public networks and at rest. If a customer uses HIPAA-Ready Services to transmit or store ePHI without encryption, the customer should document its determination that encryption is not reasonable and appropriate. |
|
Audit Controls |
Adobe has implemented controls to access and log user activity in Real-time Customer Data Platform. |
|
Session Time Out |
Adobe systems are configured to terminate inactive sessions of authorized personnel and users when they are using it to access or communicate ePHI after a pre-defined period of time or when the user terminates the session. |
|
Integrity Controls |
Adobe has implemented technical security measures to ensure that ePHI is not improperly modified or destroyed. For more information, please refer to www.adobe.com. |
|
Standards |
Administrative Safeguards |
|
Risk Analysis and Management |
Adobe has implemented measures to reduce risks to a reasonable and appropriate level, including conducting its own risk analysis and implementing a risk management plan with respect to ePHI that Adobe maintains. Adobe recommends that customers perform their own risk analyses that incorporate their use of HIPAA-Ready Services and use the security features in the HIPAA-Ready Services to reduce security risks to a reasonable and appropriate level. |
|
Information System Activity Review |
Adobe regularly reviews its users’ access to ePHI. Adobe recommends that customers regularly review their users’ access to ePHI through the HIPAA-Ready Services through the audit logs that are available through such services. |
|
Workforce Security Training |
Adobe has an established a security awareness training program to train and keep employees up to date regarding Adobe's policies and procedures for safeguarding ePHI, including applying appropriate sanctions against employees' who violate the polices and procedures, and terminating employees' access to systems that store, process, or transit ePHI. Adobe recommends that customers train their users on the appropriate use of HIPAA-Ready Services to handle ePHI. |
|
Contingency Planning |
Adobe has implemented a contingency plan and tests it on a periodic basis, which allows restoration of ePHI in the case of an emergency, disaster, or outage. Adobe recommends that customers maintain their own contingency plans, which may address whether PHI maintained on HIPAA-Ready Services must be available to the customer in an emergency. |
|
Business Associates Agreement (BAA) |
Adobe's BAA discusses Adobe's responsibility to the customer and is available to the customer to execute during the implementation of the HIPAA-Ready Services. Adobe also enters into BAAs with its subcontractors. |
|
Standards |
Physical Safeguards |
|
Facilities Access and Control |
Adobe controls who has physical access to the location where ePHI is received, maintained, or transmitted, including software engineers, facility personnel, etc. Adobe has policies and procedures to safeguard and prevent unauthorized physical access, tampering, and theft. Adobe recommends that customers address physical access to facilities in which their users access HIPAA-Ready Services. |
|
Workstation and Device Management |
Adobe has policies and standards to require approval for personnel requiring access to ePHI, including physical access to restricted areas, workstations in restricted areas, workstation and monitors with privacy screens positioned so they are only visible to the single user. Adobe recommends that customers address the security of workstations that are used to access HIPAA-Ready Services. |
|
Hardware and Infrastructure Inventory Management |
Adobe maintains a full inventory of the hardware and infrastructure of employees who are authorized to handle ePHI, including maintenance records and records of the movements of each item. |
|
Disposal |
Adobe has practices and procedures to appropriately erase and purge ePHI including disposal prior to movement of any equipment. Adobe recommends that customers identify devices that download ePHI from HIPAA-Ready Services and address that they are properly disposed when no longer needed. |
|
Backup and Restore |
Adobe has implemented technical security measures to ensure that ePHI is not improperly modified or destroyed. Adobe recommends customers identify the extent that they must backup and be able to restore PHI that is maintained through HIPAA-Ready Services. |
Additional Information
For information on configuring the HIPAA- Ready Services, please see product documentation available on Experience League.
Adobe’s BAA for HIPAA-Ready Services
Please contact your Adobe sales representative or customer success manager to execute Adobe’s BAA for HIPAA-Ready Services.
Disclaimer
This information is intended to describe how Adobe, as a business associate, has addressed certain key standards of the HIPAA Security Rule. It is not intended as, nor should it be viewed as, legal advice. Each customer is responsible for its own particular use of the HIPAA-Ready Services and ensuring that the Adobe HIPAA-Ready Services meet their compliance needs.