HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).
We know the HIPAA industry is vast and that it is important to work well and communicate with patients while remaining HIPAA compliant.
SEE ALSO: HIPAA compliant email
This is especially true with the recent move toward remote working and the increase in cyberattacks against healthcare.
Today, we will determine if Adobe Experience Platform is HIPAA compliant or not.
About Adobe Experience Platform
The Adobe Experience Platform is an open system that transforms data into customer profiles on an easy-to-use dashboard. It is one of several Adobe products created to make doing business simpler.
RELATED: Integrating HIPAA email with Adobe Experience Manager (AEM) Forms
Adobe Experience Platform is the foundation of and included as an Adobe Experience Cloud product along with Adobe Analytics and Adobe Campaign. With this and similar products, organizations can centralize and standardize customer information to improve and enrich encounters.
SEE ALSO: Using customer journey maps to improve customer experience
In a sense, a storyboard is created that visualizes a customer’s interaction with an organization. Adobe Experience Platform updates in real-time and uses AI-driven learning models to gain insights to develop the right experience.
Adobe Experience Platform and the business associate agreement
A major part of HIPAA compliance is ensuring a business associate will sign a business associate agreement (BAA). A business associate is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI.
In this instance, Adobe is a business associate of a healthcare organization if it works with any data that includes electronic PHI (ePHI), like a name or an email address. Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA.
According to Adobe’s compliance web page, certain service offerings can be HIPAA compliant such as Adobe Document Cloud and Adobe Managed Services.
Adobe Experience Cloud is currently not listed as HIPAA-ready.
The only available information on Adobe signing a BAA is directed at Adobe Sign customers.
Adobe Experience Platform and cybersecurity
Adobe Experience Platform features several cybersecurity elements to secure data:
- API-first sandboxes
- Access controls and user permissions
- Labels to classify data
- Policy framework and enforcement
Moreover, Adobe’s cloud products are protected by encryption at rest (i.e., Microsoft Azure storage encryption) and constant monitoring.
RELATED: Encrypting HIPAA related data in transit: What you need to know
At the same time, Adobe’s compliance page states that “the customer [rather than the company] is responsible for ensuring compliance.” This is reiterated within the Privacy Service.
In other words, it is up to organizations to know what they can share and how as Adobe cannot guarantee the complete security of data.
Is Adobe Experience Platform HIPAA compliant?
The BAA is a key component of HIPAA compliance and Adobe does not appear to sign a BAA for Adobe Experience Cloud or Platform. Furthermore, Adobe states that these products are not HIPAA-ready and that the company cannot ensure compliance with the federal regulation.
If a data breach or HIPAA violation occurs and any PHI is breached, the covered entity is liable.
Conclusion Adobe Experience Platform is not HIPAA compliant.
Kapua Iao
