Business Associate Agreement and Adobe Cloud Services Explained 

All covered entities need to understand and follow the HIPAA Privacy and Security Rule, which increases your awareness of selecting HIPAA-compliant cloud-based services or applications for your health care business. One essential consideration for a healthcare organization is to ensure that the service or license provider, such as Adobe, can sign a Business Associate Agreement (BAA) and if they have a BAA policy for you to review before purchasing their product.  

What is a Business Associate Agreement? 

A business associate agreement (BAA) is an agreement between a covered entity and a business or individual that performs certain functions or activities on behalf of the covered entity. A BAA informs the business associate how they may use and disclose protected health information (PHI) on your behalf. It also outlines how the business associate will safeguard and protect the PHI. A covered entity is responsible for ensuring the applications and services they use to handle PHI is HIPAA compliant and that the vendor will sign a BAA. 

 When looking at cloud service providers or any technology solution, ask if protected health information (PHI) is being created, accessed, stored, received, maintained, or transmitted through the service application. If so, a BAA is needed to store or share information. This includes email vendors and sharing services like Google Workspace or Dropbox. 

Many health care professionals opt for Adobe products due to their user-friendly interface and reliable document workflow options. The tricky question is determining which Adobe products are HIPAA compliant and whether a Business Associates Agreement (BAA) is needed to employ them. 

Will Adobe Provide a Business Associate Agreement? 

Yes, but it’s complicated.  

As a covered entity, you must understand the differences between Adobe’s products that do not offer a BAA and those that are supported with a BAA in their HIPAA-Ready category.  

We’ve done the research and broken things down for you. Keep reading to learn more! 

HIPAA Compliance and Adobe Cloud Applications 

 Adobe Cloud offers a range of applications, and each cloud grouping has many products. Here is a short example of their offerings: 

• Adobe Document Cloud includes Acrobat and Acrobat Sign 

• Adobe Creative Cloud includes design and editing programs such as Lightroom, Photoshop, and InDesign 

• Adobe Experience Cloud includes Journey Optimizer, Marketo Engage, Experience Manager Assets, and Workfront 

Many health care organizations use these Adobe products to run their businesses effectively, from administrative tasks to marketing. The most popular option is Adobe Document Cloud because it offers Acrobat PDF creation and Acrobat Sign. 

Only Adobe Acrobat Sign can be used in a HIPAA-compliant manner within Adobe Document Cloud. This becomes complicated once you understand Adobe’s pricing structures for Acrobat Sign. 

While we are discussing their products, it’s important to note that none of Adobe’s Commerce/eCommerce products are eligible for a BAA. 

Adobe Acrobat Sign and HIPAA Compliance 

A BAA between Adobe and the health care organization must be signed to use Adobe Sign to create, transmit, access, or maintain PHI and patient documents.  

The catch is that the health care organization must have an Enterprise Plan account for Acrobat Sign before Adobe will speak with them about signing a BAA.  

Suppose your organization has an Adobe Acrobat subscription that is an individual or group plan. In that case, you cannot acquire a BAA from Adobe for the Sign service.  

The downside to this is that an Enterprise plan for Acrobat Sign can be expensive, leaving some health care organizations to find other solutions. 

Which Adobe Cloud Products Are Available with a Business Associate Agreement? 

As recently as November 2023, Adobe has grouped a selection of its products and services into what it labels HIPAA-Ready. These Adobe products are available to accept PHI, so Adobe can provide a BAA to a health care organization that uses one or more of these products.  

You can review Adobe’s statement about their HIPAA-Ready products and BAA status here (last updated November 2023).

The current list of HIPAA-Ready Services includes: 

• Adobe Experience Manager (AEM) Managed Services 

• Adobe Experience Manager (AEM) as a Cloud Service 

• Adobe Customer Journey Analytics (CJA) 

• Adobe Journey Optimizer (AJO) 

• Adobe Real-Time Customer Data Platform (RTCDP) B2P (Consumer Audiences) Prime and Ultimate Editions 

• Adobe Real-Time Customer Data Platform (RTCDP) B2C Prime and Ultimate Editions 

• Adobe Acrobat Sign Solutions for enterprise and business 

• Adobe Connect Managed Services 

• Marketo Engage 

• Workfront 

• Adobe Commerce on Cloud 

• Adobe Commerce on Managed Services 

In their post about HIPAA-Ready services, Adobe makes it clear that the customer must implement specific security configurations within the products and is in control of maintaining and updating these configurations.  

In our experience guiding health care organizations with HIPAA compliance, we’ve often noticed a gap between HIPAA Privacy and Security Officials and their IT department. We suggest involving your IT team and tapping into their knowledge of information and security when evaluating new cloud-based products or services for security configurations and HIPAA compliance. 

Secure Your PHI With Business Associate Agreements 

If you’ve made it this far, you can see that Adobe’s HIPAA-compliant solutions are complex. For some products, Adobe will sign a business associate agreement, and this agreement does not cover other products. 

If your health care organization chooses to use Adobe products, take time to do some research, find out the terms of service (if possible), and ask to review the business associate agreement before signing.