HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI). HIPAA compliance is complex, and this is especially true as more healthcare providers lean on digital tools to enhance their operations. One key development is the growing use of analytics platforms to collect meaningful data about website visitors. While these solutions offer a valuable way to increase patient engagement and deliver more personalized experiences, they can also create a new opening for potential HIPAA violations. Therefore, choosing a HIPAA compliant web host is only one piece of the puzzle. Covered entities also need to ensure that their analytics setup meets compliance requirements. Let’s determine if Adobe Analytics is HIPAA compliant or not.
SEE ALSO: HIPAA compliant email
About Adobe Analytics
Leveraging a combination of artificial intelligence, machine learning, and workflow automation, Adobe Analytics is an enterprise-level analytics and reporting solution that monitors user traffic and interactions across a variety of marketing channels.
By evaluating and utilizing these real-time insights, businesses are able to gain a stronger understanding of customer behavior, predict future outcomes, and drive smarter marketing decisions.
Adobe Analytics and business associate agreements
Any third-party vendor that stores, accesses, or sends PHI is considered a business associate. In order for a third-party vendor to be considered HIPAA compliant, a business associate agreement (BAA) must be signed by both parties. This is a written document that describes the obligations of the business associate to safeguard PHI.
According to Adobe’s compliance page, certain service offerings can be made HIPAA compliant. However, Adobe Analytics is not included on this list.
“HIPAA-ready” products are limited to Marketo Engage, Connect and Experience Manager as a Managed Service, Adobe Sign, and Adobe Workfront. In addition, the only available information on Adobe’s willingness to sign a BAA is specifically directed at Adobe Sign customers.
Adobe Analytics and data security
Along with the BAA, data security is another crucial piece of maintaining HIPAA compliance. This means that covered entities should consider the specific measures that a vendor is taking to protect PHI.
The Adobe Analytics security overview notes that the company employs a variety of network controls to ensure the protection of customer data including intrusion detection system sensors, non-routable IP addressing, firewalls, and daily backups. Client data is segmented into separate report suites, with access restricted to authorized personnel and conducted via secure management connections.
Adobe affirms that communications between data processing centers (DPCs) and regional data collection centers (RDCs) are encrypted, but “data within a DPC is generally unencrypted'' and “data in transit is not always encrypted.”
Furthermore, Adobe directly states that customers are strongly advised to “refrain from passing personally identifiable information (PII) to Adobe Analytics where it is not necessary” and prohibited from “sending sensitive information to Analytics, such as medical records.”