Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

3 min read

Is Acquia HIPAA compliant?

Is Acquia HIPAA compliant?

Acquia is a digital experience platform with a suite of products that help organizations build, host, and manage websites. Healthcare organizations might want to use such a platform to better connect and communicate with employees, patients, and other healthcare providers. To do so, however, those within the healthcare industry need to work with platforms that are HIPAA compliant.

In the healthcare industry, sensitive protected health information (PHI) must be safeguarded under HIPAA. A major part of this compliance is working with vendors who will sign a business associate agreement (BAA) and ensure the security of PHI. Acquia now mentions a BAA on its website, and it may be HIPAA compliant for certain customers.


What is Acquia?

Acquia is a software-as-a-service or SaaS company that provides products and services for building, delivering, and optimizing digital experiences on Drupal-based websites. Drupal is an open-source project, which means security isn't always the best quality. Drupal, however, can be HIPAA compliant if a web hosting company (like Acquia) covers the HIPAA security requirements.

Today, Acquia’s suite of products include:

  • Acquia Cloud
  • Site Studio
  • Edge CDN
  • Site Factory
  • Cloud IDE
  • Acquia DAM
  • Personalization
  • Customer Data Platform
  • Campaign Studio
  • Campaign Factory

According to Acquia, its product suite can be designed to help healthcare organizations remain organized and connected.

LEARN ABOUTWhat is HIPAA compliant hosting?


Is Acquia considered a business associate?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates (i.e., vendors) of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.

A BAA is a written contract between a covered entity and a business associate. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:

  • Permitted uses and disclosures of PHI
  • Safeguards for protecting PHI
  • Reporting and mitigation of security incidents
  • Compliance with HIPAA regulations
  • Dispute resolution and termination clauses

The agreement is required by law for HIPAA compliance and is considered the primary item to consider when it comes to Acquia and its ability to be HIPAA compliant. Acquia is a business associate of a healthcare organization if it accesses any PHI, like a name. 

RELATEDHow to know if you're a business associate


Acquia and the BAA

Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. In 2021, we could find no mention of a BAA on Acquia’s website. Currently, Acquia offers a BAA for its healthcare Cloud Platform Enterprise and Site Factory customers. In fact, Acquia states that healthcare customers “must sign a BAA…to meet the HIPAA requirements.”


Acquia and data security

Covered entities must consider the administrative, physical, and technical safeguards that a vendor utilizes to protect PHI. Healthcare websites function as a source of information, providing services and facilitating communication between patients and healthcare providers. With the increasing importance of data privacy and security, healthcare and website hosts that collect, store, or process PHI are subject to HIPAA regulations.

Acquia claims on its website that its Cloud Platform meets all HIPAA requirements under the HIPAA Security Rule and HITECH Act. The company uses a third-party firm to perform an annual audit that includes a section on HIPAA security requirements. Accordingly, the company states that it employs the following security features: 

  • Multi-factor authentication (MFA)
  • Vulnerability management
  • Disaster recovery and site backups
  • Constant security monitoring
  • Restricted file permissions
  • Layered firewalls

Moreover, Acquia offers a separate infrastructure for HIPAA customers along with additional encryption to the file system and database servers.


Is Acquia HIPAA compliant?

The BAA is a necessary component of HIPAA compliance and Acquia mentions a BAA being available for its Cloud Platform Enterprise and Site Factory customers and its HIPAA compliant security features.

Conclusion: Acquia can be HIPAA compliant for some of its healthcare customers.


Understanding HIPAA compliance

Healthcare providers know that clear and efficient communication with patients is necessary to run a successful practice. When evaluating a platform’s HIPAA compliance, especially on the cloud, consider the following security needs beyond a BAA:

  • Technical safeguards: Mitigate risks associated with cyber threats, hacking, malware, and other security incidents with strong technical safeguards. Such tools as perimeter defenses (e.g., firewalls) and HIPAA compliant email are equally vital for extra protection.
  • Employee training: Ensure all staff members have up-to-date knowledge of HIPAA regulations and best practices. Regular training sessions can help prevent unintentional, employee-related breaches.
  • Regular audits: Perform periodic assessments of all systems and processes to ensure that they remain compliant. Adapt to any changes in regulations or technology.
  • Data access controls: Implement stringent controls, such as multifactor authentication, on who can access PHI and under what circumstances.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.