Skip To Content


HIPAA logo

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule provides federal protections for personal health information (PHI) held by covered entities and gives patients an array of rights with respect to that information.

HIPAA regulations require that covered entities and their business associates—in this case, Esri when it provides services, including cloud services, to covered entities—enter into contracts to ensure that those business associates will adequately protect PHI. These contracts, or Business Associate Agreement (BAAs), clarify and limit how the business associate can handle PHI, and set forth each party's adherence to the security and privacy provisions set forth in HIPAA and the HITECH Act. Once a BAA is in place, ArcGIS Online customers—covered entities—can use its HIPAA Eligible services to process and store PHI.

Currently, there is no official certification for HIPAA or HITECH Act compliance. However, those ArcGIS Online services covered by the BAA (HIPAA Eligible services) have undergone audits conducted by independent auditors for the ArcGIS Online FedRAMP Tailored Low authorization. FedRAMP assessments are based on a review of NIST 800-53 security controls, which align to the HIPAA Security Rule.

HIPAA Eligible services

Esri's initial ArcGIS Online HIPAA Eligible service is specifically its geocoding service, available at Esri will list additional HIPAA Eligible services here as they are validated for alignment based on customer demand. Current restrictions and requirements associated with the HIPAA Eligible geocoding service include United States Citizen Support Maintenance only, Geocoding only for United States-based addresses, and No API-key calls (app logins or user accounts are acceptable).

ArcGIS HIPAA frequently asked questions

The following are frequently asked questions regarding ArcGIS and HIPAA:

Can an organization enter into a HIPAA Business Associate Agreement (BAA) with Esri for a specific ArcGIS Online subscription?

Yes. Esri offers qualified companies or their suppliers a BAA that covers HIPAA Eligible ArcGIS Online services and associated maintenance. Esri's BAA may be requested through your account manager. This will apply to most public health organizations, hospitals, and health insurance companies; however, U.S. federal agencies and U.S. defense organizations are not qualified for the Esri BAA until ArcGIS Online has a FedRAMP Moderate authorization, which is on the roadmap for 2022.

What services can I use in my ArcGIS Online organization if I have a BAA with Esri?

You can use any ArcGIS Online services designated as part of a HIPAA organization account, but they should only process, store, and transmit protected health information (PHI) in the HIPAA Eligible services defined in the BAA.

Will Esri agree to use my organization's BAA instead?

No. Esri cannot modify the HIPAA BAA, because ArcGIS Online is a multitenant Software as a Service (SaaS) offering that is consistent for all customers. Esri must follow the same procedures for everyone. To minimize issues, Esri has already reviewed and incorporated input from BAAs of customers and fellow mid-to-large SaaS providers. If a customer must use their own BAA, or requires significant customization of Esri's BAA, it is recommended that the customer contact the Professional Services team to consider their specialized needs outside of ArcGIS Online, such as with an on-premises deployment of ArcGIS Enterprise.

Does having a BAA with Esri indicate an organization is in alignment with HIPAA and the HITECH Act?

No, not by itself. HIPAA compliance involves several responsibilities for the covered entity—the health organization working with sensitive data. By offering a BAA, Esri helps support your HIPAA compliance, but using Esri services does not on its own achieve compliance. Customers are responsible for ensuring they have an adequate compliance program and internal processes in place, and that their particular use of Esri services aligns with HIPAA and the HITECH Act. It's more than the software and services; it's a holistic process to prevent a privacy breach.

How can an organization assess the risk of its ArcGIS Online configuration?

First, customers can obtain Esri's FedRAMP annual third-party assessment report under a Non-Disclosure Agreement (NDA). Second, customers can implement security testing under the terms of an Esri Security Assessment Agreement (SAA) to perform technical validation of its offering. Last, Esri has created the ArcGIS Security Advisor tool that an organization administrator can use to access a red, yellow, and green summary at any time.

What support or maintenance is available with Esri's online BAA?

As a U.S.-based regulatory requirement for electronic private health information (ePHI), customers signing a BAA will initially use Esri's United States Person-only support. This may be expanded to standard global support in the future based on demand. Under standard conditions, both operations and customer support resources do not view ArcGIS Online customer datasets. If a customer determines they need Esri Support assistance to access, download, or view the dataset related to an ArcGIS Online subscription covered by a BAA, the pre-identified customer privacy resource will be contacted by Esri for authorization of the access.

What if the services I want are not currently HIPAA Eligible?

Esri will continue to add services that are HIPAA Eligible, and this page will be updated as the list of HIPAA Eligible services increases. It is recommended that customers with immediate service needs that are not HIPAA Eligible use the ArcGIS Enterprise offering to supplement their online service needs.