Which Adobe products are HIPAA-Ready?

Adobe offers a range of products and services ready to accept and process protected health information (PHI) in compliance with the Health Insurance Portability and Accountability Act (HIPAA).

What is Adobe?

Adobe is a multinational software company renowned for creating multimedia and creativity tools. Adobe has become a leading provider of software solutions for digital media creation, editing, and publishing. Its flagship products include Photoshop, Illustrator, and Adobe Acrobat. These tools are widely used by professionals and amateurs alike for graphic design, photo editing, illustration, and document management. Adobe's software suite is integral to numerous industries, including graphic design, photography, marketing, and publishing, offering powerful tools that empower users to bring their creative visions to life.

Go deeper: 

• Is Adobe Campaign HIPAA compliant?
• Is Adobe Experience Platform HIPAA compliant? 
• Is Adobe Analytics HIPAA compliant? 

HIPAA-Ready services by Adobe

Adobe offers a range of HIPAA-Ready services with additional features and functionalities to help customers comply with HIPAA obligations. These services are designed to accept and process PHI, and customers who license these services must have a business associate agreement (BAA) with Adobe. 

According to Adobe, “Customers are not permitted to create, receive, maintain, or transmit PHI through Adobe products and services that are not designated as HIPAA-Ready services.”

The current list of Adobe's HIPAA-Ready services includes:

• Adobe Experience Manager (AEM) Managed Services
• Adobe Experience Manager (AEM) as a Cloud Service
• Adobe Customer Journey Analytics (CJA)
• Adobe Journey Optimizer (AJO)
• Adobe Real-Time Customer Data Platform (RTCDP) B2P (Consumer Audiences) Prime and Ultimate Editions
• Adobe Real-Time Customer Data Platform (RTCDP) B2C Prime and Ultimate Editions
• Adobe Acrobat Sign Solutions for enterprise and business
• Adobe Connect Managed Services
• Marketo Engage
• Workfront
• Adobe Commerce on Cloud
• Adobe Commerce on Managed Services

These services have been specifically designed to support HIPAA compliance and help healthcare organizations manage and protect PHI effectively.

Read more: What is protected health information (PHI)? 

HIPAA shared responsibilities

HIPAA compliance with Adobe's HIPAA-Ready services follows a shared responsibility security model. Both Adobe and the customer have distinct responsibilities for maintaining the security of PHI.

Adobe relies on the customer to implement certain configurations under their control to ensure compliance with the HIPAA security rule. Adobe provides customers with configuration recommendations to assist them in meeting their HIPAA compliance obligations when using the HIPAA-Ready services.

Read more: What is the HIPAA Security Rule? 

Technical safeguards

To ensure compliance with the HIPAA security rule, Adobe has implemented various technical safeguards to protect ePHI (electronic protected health information). These safeguards include:

Access control

Adobe has policies, procedures, and technical controls to assign unique identifiers to users, restrict access to authorized users only, and terminate user access when no longer necessary. Customers can also control user access to ePHI through the HIPAA-Ready services.

Encryption & decryption

Adobe provides encryption for ePHI transmitted over public networks and at rest. Customers are recommended to use encryption when transmitting or storing ePHI unless they have documented that it is not reasonable and appropriate.

Audit controls

Adobe has implemented controls to access and log user activity in the Real-time Customer Data Platform. Customers are encouraged to review user access to ePHI regularly through the available audit logs.

Session time out

Adobe systems are configured to terminate inactive sessions after a pre-defined period of time or when the user terminates the session, ensuring the security of ePHI.

Integrity controls

Adobe has implemented technical security measures to prevent unauthorized modification or destruction of ePHI.

Read more: A deep dive into HIPAA's technical safeguards

Administrative safeguards

In addition to technical safeguards, Adobe has implemented administrative safeguards to ensure HIPAA compliance. These administrative safeguards include:

Risk analysis and management

Adobe conducts its own risk analysis and implements a risk management plan to reduce risks. Customers are advised to perform their own risk analyses and use the security features of the HIPAA-Ready services to mitigate security risks.

Information system activity review

Adobe regularly reviews users' access to ePHI and recommends that customers perform regular reviews of user access through the available audit logs.

Workforce security training

Adobe has an established security awareness training program to educate employees on policies and procedures for safeguarding ePHI. Customers are encouraged to train their users on the appropriate use of HIPAA-Ready services.

Contingency planning

Adobe has implemented a contingency plan and performs regular tests to ensure the restoration of ePHI in case of emergencies, disasters, or outages. Customers are advised to maintain their own contingency plans, which may include provisions for accessing PHI maintained on HIPAA-Ready services during emergencies.

Business associates agreement (BAA)

Adobe's BAA outlines the responsibilities of both Adobe and the customer and is available for execution during the implementation of HIPAA-Ready services.

Read also: A deep dive into HIPAA's administrative safeguards

Physical safeguards

Physical safeguards are also an important aspect of HIPAA compliance. Adobe has implemented the following physical safeguards:

Facilities access and control

Adobe controls physical access to locations where ePHI is received, maintained, or transmitted. This includes implementing policies and procedures to prevent unauthorized access, tampering, and theft. Customers are advised to address physical access to facilities where users access HIPAA-Ready services.

Workstation and device management

Adobe has policies and standards to control ePHI access, including physical access to restricted areas and workstations. Customers should also ensure the security of workstations used to access HIPAA-Ready services.

Hardware and infrastructure inventory management

Adobe maintains a full inventory of authorized personnel's hardware and infrastructure, including maintenance and movement records. Customers should also keep track of devices that download ePHI from HIPAA-Ready services and ensure proper disposal when no longer needed.

Disposal

Adobe has practices and procedures for the proper disposal of ePHI and recommends that customers identify devices that download ePHI and dispose of them properly.

Backup and restore

Adobe has implemented technical security measures to prevent the improper modification or destruction of ePHI. Customers should identify the extent to which they need to backup and restore PHI maintained through HIPAA-Ready services.

Related: A deep dive into HIPAA's physical safeguards

FAQS

What is a business associate agreement?

A business associate agreement (BAA) is a legally binding contract establishing a relationship between a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and its business associates. The purpose of this agreement is to ensure the proper protection of personal health information (PHI) as required by HIPAA regulations.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting the privacy and security of certain health information, known as protected health information (PHI).

HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.

Who does HIPAA apply to?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.

Learn more: HIPAA Compliant Email: The Definitive Guide