[Last Updated: November 2023]
Adobe continues to innovate and adapt to meet the needs of our customers in the healthcare industry to serve their specific privacy and security needs.
Health Insurance Portability and Accountability Act
The Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) provides for the U.S. Department of Health and Human Services to promulgate standards governing the privacy and security of certain individually identifiable health information. HIPAA was most significantly amended by the Health Information Technology Act for Economic and Clinical Health Act of 2009 (the “HITECH Act”), which added breach notification requirements and expanded the scope of who is governed by HIPAA. The HIPAA Privacy, Security, and Breach Notification Rules establish important protections for individually identifiable health information called protected health information or “PHI” when created, received, maintained, or transmitted by a HIPAA covered entity or business associate. A “Covered Entity” is a health care provider, health plan, or a health care clearinghouse. A “Business Associate” is an entity or person, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a Covered Entity that involves creating, receiving, maintaining, or transmitting PHI.
The HIPAA Privacy and Security Rules require that a Covered Entity obtain written assurances from a Business Associate in the form of a Business Associate Agreement, or BAA, requiring the Business Associate to safeguard the privacy and security of the Covered Entity’s PHI.
Providing PHI to Adobe
Adobe provides health care customers with services that are ready to accept PHI, referring to these services as HIPAA-Ready Services. These HIPAA-Ready Services have additional features and functionalities that allow for both customers, who are Covered Entities or Business Associates, and Adobe to comply with their respective HIPAA obligations. These additional features may increase your license or subscription costs.
Customers that license HIPAA-Ready Services to process PHI must have a BAA with Adobe that applies to those HIPAA-Ready Services. A customer may provide PHI only with a HIPAA-Ready Service, in accordance with the license agreement and BAA between Adobe and the customer. Customers are not permitted to create, receive, maintain, or transmit PHI through Adobe Products and Services that are not HIPAA-Ready Services because Adobe has not designed these services to support the customer and Adobe’s HIPAA compliance.
The current list of HIPAA-Ready Services include:
- Adobe Experience Manager (AEM) Managed Services
- Adobe Experience Manager (AEM) as a Cloud Service
- Adobe Customer Journey Analytics (CJA)*
- Adobe Journey Optimizer (AJO)
- Adobe Real-Time Customer Data Platform (RTCDP) B2P (Consumer Audiences) Prime and Ultimate Editions**
- Adobe Real-Time Customer Data Platform (RTCDP) B2C Prime and Ultimate Editions**
- Adobe Acrobat Sign Solutions for enterprise and business
- Adobe Connect Managed Services
- Marketo Engage
- Adobe Commerce on Cloud
- Adobe Commerce on Managed Services
More information about how Adobe Experience Cloud solutions can be used in healthcare business scenarios can be found in our white paper, Adobe Experience Cloud for Healthcare Solutions Overview, on the Adobe Trust Center.
HIPAA Shared Responsibilities
Adobe’s HIPAA-Ready Services rely on a shared responsibility security model, requiring the customer and Adobe to each bear distinct responsibilities for maintaining the security of PHI. Under this shared security model, Adobe relies on the customer to implement certain configurations that are under the customer’s control in order for Adobe to comply with HIPAA Security Rule requirements. Adobe also provides configuration recommendations to assist customers in satisfying their own HIPAA compliance obligations when using the HIPAA-Ready Services.
Shared Responsibility Security Model
The following describes how Adobe has addressed certain key standards of the HIPAA Security Rule with respect to electronic protected health information (“ePHI”) and includes some recommendations to assist customers with their HIPAA compliance.
*CJA Labs is not a HIPAA-Ready CJA Service. For more information please see here.
**Excluding Event Forwarding. Event Forwarding is not a HIPAA-Ready RTCDP feature.