HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards.
HIPAA compliance is complex, and this is especially true as more healthcare providers lean on digital tools to enhance their operations. One key development is the growing use of analytics platforms to collect meaningful data about website visitors.
While these solutions offer a valuable way to increase patient engagement and deliver more personalized experiences, they can also create a new opening for potential HIPAA violations.
Therefore, choosing a HIPAA compliant web host is only one piece of the puzzle. Covered entities also need to ensure that their analytics setup meets compliance requirements.
Let’s determine if Adobe Analytics is HIPAA compliant or not.
SEE ALSO: HIPAA compliant email
About Adobe Analytics
Leveraging a combination of artificial intelligence, machine learning, and workflow automation, Adobe Analytics is an enterprise-level analytics and reporting solution that monitors user traffic and interactions across a variety of marketing channels.
By evaluating and utilizing these real-time insights, businesses are able to gain a stronger understanding of customer behavior, predict future outcomes, and drive smarter marketing decisions.
Adobe Analytics and business associate agreements
Any third-party vendor that stores, accesses, or sends PHI is considered a business associate.
In order for a third-party vendor to be considered HIPAA compliant, a business associate agreement (BAA) must be signed by both parties. This is a written document that describes the obligations of the business associate to safeguard PHI.
According to Adobe’s compliance page, certain service offerings can be made HIPAA compliant. However, Adobe Analytics is not included on this list.
“HIPAA-ready” products are limited to Marketo Engage, Connect and Experience Manager as a Managed Service, Adobe Sign, and Adobe Workfront. In addition, the only available information on Adobe’s willingness to sign a BAA is specifically directed at Adobe Sign customers.
Adobe Analytics and data security
Along with the BAA, data security is another crucial piece of maintaining HIPAA compliance. This means that covered entities should consider the specific measures that a vendor is taking to protect PHI.
The Adobe Analytics security overview notes that the company employs a variety of network controls to ensure the protection of customer data including intrusion detection system sensors, non-routable IP addressing, firewalls, and daily backups.
Client data is segmented into separate report suites, with access restricted to authorized personnel and conducted via secure management connections. Adobe affirms that communications between data processing centers (DPCs) and regional data collection centers (RDCs) are encrypted, but “data within a DPC is generally unencrypted” and “data in transit is not always encrypted.”
Furthermore, Adobe directly states that customers are strongly advised to “refrain from passing personally identifiable information (PII) to Adobe Analytics where it is not necessary” and prohibited from “sending sensitive information to Analytics, such as medical records.”
Is Adobe Analytics HIPAA compliant?
No, Adobe does not appear willing to sign a BAA for Adobe Analytics and it is not recognized as a HIPAA-ready product. Customers are also explicitly prohibited from storing sensitive data on the platform.
Boost protection with Paubox
Much like how many popular web hosts are not HIPAA compliant, a well-known digital analytics platform won’t always satisfy compliance obligations. Therefore, conducting your due diligence is critical to avoid costly fines and other corrective action.
In addition to selecting a HIPAA compliant analytics tool, healthcare providers should be safeguarding PHI from every angle with stronger email security.
Designed to conveniently integrate with your existing email platform such as Google Workspace or Microsoft 365, Paubox Email Suite enables HIPAA compliant email by default and automatically encrypts every outbound message. This means you don’t have to spend time deciding which emails to encrypt and your patients are able to receive your messages right in their inbox—no additional passwords or portals are necessary.
Paubox Email Suite’s Plus and Premium plan levels also include advanced inbound email security tools for additional threat protection. Our patent-pending Zero Trust Email feature uses email AI to confirm an email’s legitimacy, while patented ExecProtect quickly intercepts display name spoofing attempts.