Analyzing Adobe’s Updated Terms of Service for HIPAA Compliance 

Adobe has recently updated its terms of service agreement, causing confusion about whether the new terms encompass HIPAA compliance. This uncertainty has raised questions about whether healthcare organizations can utilize certain Adobe products. 

Health care software and cloud-based applications face no exceptions to the HIPAA Privacy and Security Rules. To be considered HIPAA compliant, the application or software provider must comply with the requirements for safeguarding protected health information (PHI) and be willing to sign a business associate agreement (BAA) with the covered entity. However, when the terms of service (or terms of use) updates are ambiguous and encompass broad language, it raises concerns for covered entities about maintaining compliance. 

Inside Adobe’s Recent Terms of Service Agreement 

Adobe’s early June 2024 Terms of Service agreement updates made waves thanks to its broad licensing language. In particular, the terms describing how Adobe can access users’ content, how they might license the users’ content, and how the data would be managed without the users’ consent for the company’s purposes.  

Of course, this caused alarm within the health care community because most health care organizations have never needed to obtain a BAA with Adobe to use specific products.  

The updates appear to affect the creative industry the most with indications that the company could utilize any content created using Adobe’s products for its own purposes, particularly in training its AI program. Additionally, Adobe did not offer customers an option to opt-out of this change.  

Adobe Releases Clarification Statement 

Since the original early June terms of service update, Adobe has released two clarification statements.  

On June 06, 2024, Adobe posted a clarification about the terms of service update. However, the clarification provided little insight into how the company interprets its updates with its HIPAA-ready products. These are a set of Adobe products that covered entities use with an underlying BAA and Adobe assurances of security controls.   

So, what do these updated terms of services mean for health care organizations and other institutions that rely on restricting sensitive patient information and access? 

Business Associate Agreements and Software Providers 

If a covered entity is using a software application to create, access, store, retrieve, maintain, or transmit protected health information (PHI), it needs a BAA with that company. This means a business associate agreement must be in place between a business or individual that performs certain functions or activities on behalf of the covered entity. 

The BAA informs the business associate about how they may use and disclose protected health information (PHI) on behalf of the covered entity.  

 PrivaPlan Associates Recommendation for Adobe Cloud Services 

The June 2024 update to Adobe’s terms of service has raised important questions about compliance, data access, and service usage. As customers, the best we can do is read the terms of services carefully and make decisions based on our knowledge of HIPAA and our organizational commitment to compliance.  

If your health care organization is using Adobe to create or edit a PDF and maintains that data on its secure network, the updated terms of service are acceptable, and you might not need a BAA with Adobe. Remember, these PDFs may contain Protected Health Information (PHI) and should not be stored on Adobe’s cloud service. 

We also recommend that an organization’s IT team engage with the assigned HIPAA Privacy and/or Security Official to determine if a BAA is needed before implementing the software. The IT team can use the official’s HIPAA knowledge and expertise in their organization’s policies and procedures regarding BAAs. 

Organizations that have a BAA with a software or cloud-based application company will want to review updated terms of service carefully to ensure continued compliance and to understand the implications for their data and operations.