The Health Insurance Portability & Accountability Act (HIPAA) Privacy Rule provides federal protections for personal health information (PHI) held by covered entities and gives patients an array of rights with respect to that information.
HIPAA regulations require that covered entities and their business associates - in this case, Esri when it provides services, including cloud services, to covered entities - enter into contracts to ensure that those business associates will adequately protect PHI. These contracts, or Business Associate Addendums (BAAs), clarify and limit how the business associate can handle PHI, and set forth each party's adherence to the security and privacy provisions set forth in HIPAA and the HITECH Act. Once a BAA is in place, ArcGIS Online customers - covered entities - can use its HIPAA Eligible services to process and store PHI.
Currently there is no official certification for HIPAA or HITECH Act compliance. However, those ArcGIS Online services covered by the BAA (HIPAA Eligible Services) have undergone audits conducted by independent auditors for the ArcGIS Online FedRAMP Tailored Low authorization. FedRAMP assessments are based on a review of NIST 800-53 security controls which align to the HIPAA Security Rule.
ArcGIS Online HIPAA Eligible services
Our initial ArcGIS Online HIPAA Eligible service is specifically our geocoding service, available at geocode.arcgis.com. We will list additional HIPAA Eligible services here as they are validated for alignment based on customer demand. Current restrictions/requirements associated with the HIPAA eligible geocoding service includes: 1) United States Citizen Support Maintenance only, 2) Geocoding only for US-based addresses, 3) No API-key calls (App logins or user accounts are acceptable).
ArcGIS HIPAA FAQs
Can an organization enter into a HIPAA Business Associate Agreement (BAA) with Esri for a specific ArcGIS Online subscription?
Yes. Esri offers qualified companies or their suppliers a BAA that covers HIPAA Eligible ArcGIS Online services and associated maintenance. Esri's BAA may be requested through your account manager. This will apply to most public health organizations, hospitals, health insurance companies, however, US Federal Agencies and US Defense organizations are not qualified for our BAA until ArcGIS Online has a FedRAMP Moderate authorization, which is on our roadmap for 2022.
What services can I use in my ArcGIS Online organization if I have a BAA with Esri?
Customers can utilize any ArcGIS Online service designated as part of a HIPAA organization account, but they should only process, store, and transmit protected health information (PHI) in the HIPAA-Eligible services defined in the BAA.
Will Esri agree to use my organization's BAA instead?
No. Esri cannot modify the HIPAA BAA, because ArcGIS Online is a multi-tenant Software as a Service (SaaS) offering that is consistent for all customers, we must follow the same procedures for everyone. To minimize issues, we have already reviewed and incorporated input from BAA's of customers and fellow mid-large SaaS providers. If a customer must utilize their own BAA, or requires significant customization of Esri's BAA, we recommend that customer engage our Professional Services team to consider their specialized needs outside of ArcGIS Online, such as with an on-premises deployment of ArcGIS Enterprise.
Does having a BAA with Esri indicate an organization is in alignment with HIPAA and the HITECH Act?
No - not by itself. HIPAA compliance involves several responsibilities for the covered entity - the health organization working with sensitive data. By offering a BAA, Esri helps support your HIPAA compliance, but using Esri services does not on its own achieve it. Customers are responsible for ensuring they have an adequate compliance program and internal processes in place, and that their particular use of Esri services aligns with HIPAA and the HITECH Act. It's more than the software and services, it's a holistic process to prevent a privacy breach.
How can an organization assess the risk of its ArcGIS Online configuration?
First, customers can obtain our FedRAMP annual 3rd party assessment report under a Non-Disclosure Agreement (NDA). Second, customers can implement security testing under the terms of an Esri Security Assessment Agreement (SAA) to perform technical validation of our offering. Lastly, we have created the ArcGIS Security Advisor tool that an organization administrator can access to have a red, yellow, green summary at the tips of their fingers at any time.
What support/maintenance is available with Esri's Online BAA?
As a US-based regulatory requirement for electronic private health information ePHI, customers signing a BAA will initially utilize our United States Person only Support, this may be expanded to our standard global support in the future, based on demand. Under standard conditions both operations and customer support resources do not view ArcGIS Online customer datasets. If a customer determines they need Esri Support assistance to access/download/view the dataset related to an ArcGIS Online subscription covered by a BAA, the pre-identified customer privacy resource will be contacted by Esri for authorization of the access.
What if the services I want are not currently HIPAA Eligible?
Esri will continue to add services that are HIPAA Eligible and this page will be updated as the list of HIPAA Eligible services increases. We recommend customers with immediate service needs that are not HIPAA Eligible to utilize our ArcGIS Enterprise offering to supplement their Online Service needs.