The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule provides federal protections for personal health information (PHI) held by covered entities and gives patients an array of rights with respect to that information.
HIPAA regulations require that covered entities and their business associates in this case, Esri when it provides services, including cloud services, to covered entities enter into contracts to ensure that those business associates will adequately protect PHI. These contracts, or Business Associate Agreement (BAAs), clarify and limit how the business associate can handle PHI, and set forth each party's adherence to the security and privacy provisions set forth in HIPAA and the HITECH Act.
Currently, there is no official certification for HIPAA or HITECH Act compliance, instead, the below Esri services are FedRAMP Moderate Agency authorized utilizing NIST 800-53 security controls which map to HIPAA Security Rule standards."
Esri in-scope Services
ArcGIS Online HIPAA Services
Esri's initial ArcGIS Online HIPAA Eligible service is specifically its geocoding service, available at geocode.arcgis.com. Esri will list additional HIPAA Eligible services here as they are validated for alignment based on customer demand. Current restrictions and requirements associated with the HIPAA Eligible geocoding service include United States Citizen Support Maintenance only, Geocoding only for United States-based addresses, and No API-key calls (only app logins or user accounts are acceptable). As a multitenant Software as a Service (SaaS) offering that is consistent for all customers, Esri does not modify the ArcGIS Online HIPAA BAA for unique customer requirements.
EMCS Advanced Plus
Esri Managed Cloud Services (EMCS) Advanced Plus is a single tenant ArcGIS Enterprise offering through Esri Professional Services. EMCS Advanced Plus offers the ability to negotiate with an organization's BAA terms, but by default also utilizes the Esri HIPAA BAA.
ArcGIS HIPAA FAQ
The following are frequently asked questions regarding ArcGIS and HIPAA:
Can an organization enter into a HIPAA Business Associate Agreement (BAA) with Esri for a specific ArcGIS Online subscription?
Yes. Esri offers qualified companies or their suppliers a BAA that covers HIPAA Eligible ArcGIS Online and/or EMCS Advanced Plus services and associated maintenance. Esri's BAA may be requested through your account manager. This will apply to most public health organizations, hospitals, and health insurance companies; however, U.S. federal agencies and U.S. defense organizations are not qualified for the Esri BAA until ArcGIS Online has a FedRAMP Moderate authorization, which is on the roadmap for 2022.
What services can I use in my ArcGIS Online organization if I have a BAA with Esri?
You can use any ArcGIS Online services designated as part of a HIPAA organization account, but they should only process, store, and transmit protected health information (PHI) in the HIPAA Eligible services defined in the BAA.
Will Esri agree to use my organization's BAA instead?
For ArcGIS Online, no. Esri cannot modify the HIPAA BAA, because ArcGIS Online is a multitenant Software as a Service (SaaS) offering that is consistent for all customers. Esri must follow the same procedures for everyone. To minimize issues, Esri has already reviewed and incorporated input from BAAs of customers and fellow mid-to-large SaaS providers.
EMCS Advanced Plus offers the ability to negotiate with an organization's BAA terms, but by default also utilizes the Esri HIPAA BAA.
If a customer must use their own BAA, or requires significant customization of Esri's BAA, it is recommended that the customer contact the Professional Services team to consider their specialized needs outside of ArcGIS Online, such as with an on-premises or EMCS Advanced Plus deployment of ArcGIS Enterprise.
Does having a BAA with Esri indicate an organization is in alignment with HIPAA and the HITECH Act?
No, not by itself. HIPAA compliance involves several responsibilities for the covered entity—the health organization working with sensitive data. By offering a BAA, Esri helps support your HIPAA compliance, but using Esri services does not on its own achieve compliance. Customers are responsible for ensuring they have an adequate compliance program and internal processes in place, and that their particular use of Esri services aligns with HIPAA and the HITECH Act. It's more than the software and services; it's a holistic process to prevent a privacy breach.
How can an organization assess the risk of its ArcGIS Online configuration?
First, customers can obtain Esri's FedRAMP annual third-party assessment report under a Non-Disclosure Agreement (NDA) or by accessing the FedRAMP authorization packages available at connect.gov. Second, customers can implement security testing under the terms of an Esri Security Assessment Agreement (SAA) to perform technical validation of its offering. Last, Esri has created the ArcGIS Security Advisor tool that an organization administrator can use to access a red, yellow, and green summary at any time.
What support or maintenance is available with Esri's online BAA?
As a U.S.-based regulatory requirement for electronic private health information (ePHI), customers signing a BAA will initially use Esri's United States Person-only support. This may be expanded to standard global support in the future based on demand. Under standard conditions, both operations and customer support resources do not view ArcGIS Online customer datasets. If a customer determines they need Esri Support assistance to access, download, or view the dataset related to an ArcGIS Online subscription covered by a BAA, the pre-identified customer privacy resource will be contacted by Esri for authorization of the access.
What if the services I want are not currently HIPAA Eligible?
Esri will continue to add services that are HIPAA Eligible, and this page will be updated as the list of HIPAA Eligible services increases. It is recommended that customers with immediate service needs that are not HIPAA Eligible use the ArcGIS Enterprise offering to supplement their online service needs.
- Managing GIS Healthcare Information (Public)
- Validate Best Practices with Security Advisor Tool (Public Trust Center Tool)
- Summary of HIPAA Privacy Rule (Public)