Adobe Scan is an app for Android and iOS operating systems that allows users to use a device camera as a document scanner to capture information. The product is efficient and easy to use, but is it HIPAA compliant?
HIPAA Compliance Basics: Is Adobe Scan HIPAA Compliant?
The Department of Health and Human Services Office for Civil Rights (OCR) enforces HIPAA rules and regulations. Those regulations safeguard every individual’s protected health information (PHI).
HIPAA’s Privacy and Security Rules define the technical and administrative safeguards that govern how PHI is transmitted, stored, received, and maintained. End-users are responsible for ensuring that they are using the platform in a HIPAA-compliant manner.
Healthcare practices and the companies that serve them must fully comply with all HIPAA provisions. HIPAA violations can result in substantial fines and penalties from OCR.
Security and Privacy: Is Adobe Scan HIPAA Compliant?
Key provisions of the HIPAA regulations require electronic PHI (ePHI) to be protected by 2-factor authentication and access controls. Data should also be encrypted at rest and while being transmitted.
Adobe Scan appears to have outstanding authentication and access controls, and data is encrypted in storage and during transfer. The level of encryption used by Adobe Scan meets the minimum standard of compliance under HIPAA.
Business Associate Agreements: Is Adobe Scan HIPAA Compliant?
All businesses that create, transmit, process, store, receive, or maintain PHI or ePHI must be HIPAA compliant. Any vendors used for those purposes must also be HIPAA compliant.
In addition, a signed Business Associate Agreement must be in place before PHI or ePHI transfers between organizations. This agreement must clearly state the responsibilities of each company regarding PHI.
Transferring PHI without a BAA is a clear violation of HIPAA. Adobe is considered a business associate, so organizations must have a signed BAA with Adobe to use their services.
Adobe Scan integrates with Adobe Document Cloud. As another article on our blog mentions, Adobe will sign a BAA with Adobe Document Cloud clients, but only for those on an Enterprise Plan.
Final Analysis: Is Adobe Scan HIPAA Compliant?
So, is Adobe Scan HIPAA compliant? The answer is not straightforward. While Adobe is willing to sign a business associate agreement, they only do so for specific products and plan levels. So while some Adobe Cloud products are HIPAA compliant, others are not.
Additionally, Adobe makes it overly complicated for users to get a BAA, responding to users inquiring about an Adobe Sign BAA on their support forum, “This information can only be shared by Adobe Sign support team via phone or chat. So we request you to please contact Adobe Sign support team by logging into your account. Click on the “?” icon at the upper right corner of the page and refer to your support options.” Adobe users also reported on the forum that upon calling Adobe to request a BAA, they were transferred to several departments and given mixed information on the pricing required to obtain one.
Healthcare organizations that wish to use Adobe’s services in conjunction with PHI must be diligent in ensuring that the product they are using can be HIPAA compliant and that Adobe will sign a BAA with them at their service plan level.
For more information on Adobe and compliance, please click here.
The Adobe website does not explicitly list Adobe Scan as one of the products eligible for a BAA. Because there are other HIPAA-compliant document scanning options in the marketplace, companies who wish to err on the side of caution may want to consider a different product.
