Skip To Content

HIPAA

HIPAA logo

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule provides federal protections for personal health information (PHI) held by covered entities and gives patients an array of rights with respect to that information.

HIPAA regulations require that covered entities and their business associates in this case, Esri when it provides services, including cloud services, to covered entities enter into contracts to ensure that those business associates will adequately protect PHI. These contracts, or Business Associate Agreement (BAAs), clarify and limit how the business associate can handle PHI, and set forth each party's adherence to the security and privacy provisions set forth in HIPAA and the HITECH Act.

Currently, there is no official certification for HIPAA or HITECH Act compliance, instead, the below Esri services are FedRAMP Moderate Agency authorized utilizing NIST 800-53 security controls which map to HIPAA Security Rule standards."

Esri in-scope Services

ArcGIS Online HIPAA Services

Esri's initial ArcGIS Online HIPAA Eligible service is specifically its geocoding service, available at geocode.arcgis.com. Esri will list additional HIPAA Eligible services here as they are validated for alignment based on customer demand. Current restrictions and requirements associated with the HIPAA Eligible geocoding service include United States Citizen Support Maintenance only, Geocoding only for United States-based addresses, and No API-key calls (only app logins or user accounts are acceptable). As a multitenant Software as a Service (SaaS) offering that is consistent for all customers, Esri does not modify the ArcGIS Online HIPAA BAA for unique customer requirements.

EMCS Advanced Plus

Esri Managed Cloud Services (EMCS) Advanced Plus is a single tenant ArcGIS Enterprise offering through Esri Professional Services. EMCS Advanced Plus offers the ability to negotiate with an organization's BAA terms, but by default also utilizes the Esri HIPAA BAA.

ArcGIS HIPAA FAQ

The following are frequently asked questions regarding ArcGIS and HIPAA:

Can an organization enter into a HIPAA Business Associate Agreement (BAA) with Esri for a specific ArcGIS Online subscription?

Yes. Esri offers qualified companies or their suppliers a BAA that covers HIPAA Eligible ArcGIS Online and/or EMCS Advanced Plus services and associated maintenance. Esri's BAA may be requested through your account manager.

What services can I use in my ArcGIS Online organization if I have a BAA with Esri?

You can use any ArcGIS Online services designated as part of a HIPAA organization account, but they should only process, store, and transmit protected health information (PHI) in the HIPAA Eligible services defined in the BAA.

Will Esri agree to use my organization's BAA instead?

For ArcGIS Online, no. Esri cannot modify the HIPAA BAA, because ArcGIS Online is a multitenant Software as a Service (SaaS) offering that is consistent for all customers. Esri must follow the same procedures for everyone. To minimize issues, Esri has already reviewed and incorporated input from BAAs of customers and fellow mid-to-large SaaS providers.

EMCS Advanced Plus offers the ability to negotiate with an organization's BAA terms, but by default also utilizes the Esri HIPAA BAA.

If a customer must use their own BAA, or requires significant customization of Esri's BAA, it is recommended that the customer contact the Professional Services team to consider their specialized needs outside of ArcGIS Online, such as with an on-premises or EMCS Advanced Plus deployment of ArcGIS Enterprise.

Does having a BAA with Esri indicate an organization is in alignment with HIPAA and the HITECH Act?

No, not by itself. HIPAA compliance involves several responsibilities for the covered entity—the health organization working with sensitive data. By offering a BAA, Esri helps support your HIPAA compliance, but using Esri services does not on its own achieve compliance. Customers are responsible for ensuring they have an adequate compliance program and internal processes in place, and that their particular use of Esri services aligns with HIPAA and the HITECH Act. It's more than the software and services; it's a holistic process to prevent a privacy breach.

How can an organization assess the risk of its ArcGIS Online configuration?

Organizations can assess the risk of their ArcGIS Online configuration by leveraging several resources and tools provided by Esri. Esri offers resources such as the Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ) and detailed information available on the Esri Trust Center, which provide insights into Esri's security practices and controls. To validate Esri's compliance, organizations can review the FedRAMP authorization available on theFedRAMP marketplace. Additionally, organizations can conduct their own security testing under the terms of an Esri Security Assessment Agreement (SAA), allowing for technical validation of the ArcGIS Online configuration. For ongoing security and privacy insights, Esri provides the ArcGIS Security Adviser tool, enabling organization administrators to perform real-time assessments of their ArcGIS Online security posture, helping administrators quickly identify and address potential security issues.

What support or maintenance is available with Esri's online BAA?

As a U.S.-based regulatory requirement for electronic private health information (ePHI), customers signing a BAA will initially use Esri's United States Person-only support. This may be expanded to standard global support in the future based on demand. Under standard conditions, both operations and customer support resources do not view ArcGIS Online customer datasets. If a customer determines they need Esri Support assistance to access, download, or view the dataset related to an ArcGIS Online subscription covered by a BAA, the pre-identified customer privacy resource will be contacted by Esri for authorization of the access.

What if the services I want are not currently HIPAA Eligible?

Esri will continue to add services that are HIPAA Eligible, and this page will be updated as the list of HIPAA Eligible services increases. It is recommended that customers with immediate service needs that are not HIPAA Eligible use the ArcGIS Enterprise offering to supplement their online service needs.

Resources