[Last Updated: March 2025]
Adobe is expanding Healthcare Shield to provide Health Data-Ready services that accept consumer health data that may be regulated under applicable healthcare privacy laws and regulations. Customers using Adobe’s Health Data-Ready products and services may submit additional categories of consumer health data to Adobe, in addition to the current use case of submitting Protected Health Information (PHI), as regulated under the Health Insurance Portability and Accountability Act of 1995 (“HIPAA”).
Adobe recommends customers to evaluate their needs to determine which product is best for their use case. Customers interested in learning more about Adobe HIPAA-Ready Services may see here or more information.
Working with Health-Related Data
Adobe’s expansion of Healthcare Shield allows customers the option of submitting consumer health data that may not necessarily be defined as PHI.
Adobe provides customers who engage with consumer health data but are not within the healthcare industry with services that are ready to accept consumer health data, referring to these services as Health Data-Ready Services. These Health Data-Ready Services have additional features and functionalities that allow for customers, who may not be defined as Covered Entities or Business Associates under HIPAA, but may still handle consumer health data, to comply with the appropriate privacy and security regulations. These additional features may increase your license or subscription costs.
Customers are not permitted to create, receive, maintain, or transmit consumer health data through Adobe Products and Services that are not Health Data-Ready Services because Adobe has not designed these services to support the customer and Adobe’s compliance with health data regulations.
At this time, Health Data-Ready Services are available only to U.S. based customers.
The current list of Health Data-Ready Services Include:
- Adobe Customer Journey Analytics (CJA)1
- Adobe Journey Optimizer (AJO)2
- Adobe Real-Time Customer Data Platform (RTCDP) B2P (Consumer Audiences) Prime and Ultimate Editions3
- Adobe Real-Time Customer Data Platform (RTCDP) B2C Prime and Ultimate Editions3
More information about how Adobe Experience Cloud solutions can be used in healthcare and health & wellness business scenarios can be found in our white paper, Adobe Experience Cloud for Healthcare Solutions Overview, Adobe Experience Cloud for Healthcare Solutions Overview, on the Adobe Trust Center.
1Excluding CJA Labs. CJA Labs is not a HIPAA-Ready or Health Data-Ready CJA Service. For more information please see here.
2Excluding Federated Audience Composition. Federated Audience Composition is not a HIPAA-Ready or Health Data-Ready AJO Service.
3Excluding Event Forwarding and Federated Audience Composition. Event Forwarding and Federated Audience Composition are not HIPAA-Ready or Health Data-Ready RTCDP Services.
Shared Security Responsibilities
Adobe Health Data-Ready Services rely on a shared responsibility security model, requiring the customer and Adobe to each bear distinct responsibilities for maintaining the security of consumer health data. Under this shared security model, Adobe relies on the customer to implement certain configurations that are under the customer’s control for Adobe to comply with requirements surrounding consumer health data. Adobe also provides configuration recommendations to assist customers in satisfying their own compliance obligations when using the Health Data-Ready Services.
Shared Responsibility Security
The following describes how Adobe has addressed certain key standards with respect to health data and includes some recommendations to assist customers with their Health Data-Ready compliance.
|
Standards |
Technical Safeguards |
|
Access Control |
Adobe has implemented policies, procedures, and technical controls to assign unique identifiers to each Adobe user (including preventing identifier reuse), to only allow authorized Adobe users access to health data, to terminate user access to health data when no longer necessary, and the ability to release or disclose health data during an emergency. Adobe also provides customers with the tools to control which of their users have access to health data. |
|
Encryption & Decryption |
Adobe provides for encrypting health data transmitted over public networks and at rest. If a customer uses Health Data-Ready Services to transmit or store health data without encryption, the customer should document its determination that encryption is not reasonable and appropriate. |
|
Audit Controls |
Adobe has implemented controls to access and log user activity in Real-time Customer Data Platform. |
|
Session Time Out |
Adobe systems are configured to terminate inactive sessions of authorized personnel and users when they are using it to access or communicate health data after a pre-defined period of time or when the user terminates the session. |
|
Integrity Controls |
Adobe has implemented technical security measures to ensure that health data is not improperly modified or destroyed. For more information, please refer to www.adobe.com. |
|
Standards |
Administrative Safeguards |
|
Risk Analysis and Management |
Adobe has implemented measures to reduce risks to a reasonable and appropriate level, including conducting its own risk analysis and implementing a risk management plan with respect to health data that Adobe maintains. Adobe recommends that customers perform their own risk analyses that incorporate their use of Health Data-Ready Services and use the security features in the Health Data-Ready Services to reduce security risks to a reasonable and appropriate level. |
|
Information System Activity Review |
Adobe regularly reviews its users’ access permissions. Adobe recommends that customers regularly review their users’ access to health data through the Health Data-Ready Services through the audit logs that are available through such services. |
|
Workforce Security Training |
Adobe has an established a security awareness training program to train and keep employees up to date regarding Adobe's policies and procedures for safeguarding health data, including applying appropriate sanctions against employees' who violate the policies and procedures, and terminating employees' access to systems that store, process, or transit health data. Adobe recommends that customers train their users on the appropriate use of Health Data- Ready Services to handle health data. |
|
Contingency Planning |
Adobe has implemented a contingency plan and tests it on a periodic basis, which allows restoration of health data in the case of an emergency, disaster, or outage. Adobe recommends that customers maintain their own contingency plans, which may address whether health data maintained on Health Data-Ready Services must be available to the customer in an emergency. |
|
Standards |
Physical Safeguards |
|
Facilities Access and Control |
Adobe controls who has physical access to the location where health data is received, maintained, or transmitted, including software engineers, facility personnel, etc. Adobe has policies and procedures to safeguard and prevent unauthorized physical access, tampering, and theft. Adobe recommends that customers address physical access to facilities in which their users access Health Data-Ready Services. |
|
Workstation and Device Management |
Adobe has policies and standards to require approval for personnel requiring access to health data, including physical access to restricted areas, workstations in restricted areas, workstation and monitors with privacy screens positioned so they are only visible to the single user. Adobe recommends that customers address the security of workstations that are used to access Health Data-Ready Services. |
|
Hardware and Infrastructure Inventory Management |
Adobe maintains a full inventory of the hardware and infrastructure of employees who are authorized to handle health data, including maintenance records and records of the movements of each item. |
|
Disposal |
Adobe has practices and procedures to appropriately erase and purge health data including disposal prior to movement of any equipment. Adobe recommends that customers identify devices that download health data from Health Data-Ready Services and address that they are properly disposed when no longer needed. |
|
Backup and Restore |
Adobe has implemented technical security measures to ensure that health data is not improperly modified or destroyed. Adobe recommends customers identify the extent that they must backup and be able to restore health data that is maintained through Health Data- Ready Services. |
Additional Information
For information on configuring the HIPAA- Ready Services, please see product documentation available on Experience League.
Adobe’s BAA for HIPAA-Ready Services
Please contact your Adobe sales representative or customer success manager to execute Adobe’s BAA for HIPAA-Ready Services.
Disclaimer
This information is intended to describe how Adobe, as a business associate, has addressed certain key standards of the HIPAA Security Rule. It is not intended as, nor should it be viewed as, legal advice. Each customer is responsible for its own particular use of the HIPAA-Ready Services and ensuring that the Adobe HIPAA-Ready Services meet their compliance needs.