3 Replies Latest reply on Jun 27, 2013 10:52 AM by Genevieve Laroche

    HIPAA Compliance and Data Encryption in FormsCentral


      So in trying to understand the HIPAA compliance (non-compliance) of Adobe FormsCentral – let me see if I can get this straight.


      Someone else in a discussion thread asked ‘what is it that makes FormsCentral NOT HIPAA compliant?’ – this was not answered.


      1. For Adobe to have made that assessment/call – there must have been an analysis done by Adobe staff to determine that status.


      Q: Could someone please provide a better response (the analysis checklist perhaps?) to this other than referring to your security document. (http://forums.adobe.com/docs/DOC-1384)



      2. My (brief) research on HIPAA compliance led me to the following 2 websites (that were most relevant.. a summary and the actual HIPAA regulator (US Dept of Health).


      ( http://www.onlinetech.com/compliant-hosting/hipaa-compliant-hosting/resources/what-is-hipa a-compliance


      http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html )


      As far as I can see from ‘onlinetech.com’ summary the most important/relevant parts relate to


      “…a HIPAA compliant hosting provider, they must have certain administrative, physical and technical safeguards in place…” “…with physical and technical the most relevant..”


      Q: Which part does Adobe FormsCentral as a hosting provider not meet?



      3. Another item in a previous discussion thread stated “I know that the data transmission (from FormsCentral) is encrypted”…


      Q: where is this highlighted in Adobe’s documentation? And is this the case?



      4. All the above answers may render my next questions irrelevant – but here goes:


      Assuming the agency using the Adobe FormsCentral product/hosting is HIPAA compliant. (ie they have all the internal administrative, technical and physical security requirements and good practices of secure login/passwords etc..


      Q: Then all the agency would need to do is ensure that the data is removed from the Adobe FormsCentral servers?

        • 1. Re: HIPAA Compliance and Data Encryption in FormsCentral
          Genevieve Laroche Adobe Employee

          It is our understanding that an online survey tool cannot be “HIPAA compliant” as there are no compliance or certifying agencies which approve and “certify” software solutions. We try to follow best security practices with all personal and confidential information.


          I will try to get a better answer for you but in the mean time if you have any specific requests regarding how we can follow HIPAA best practices, please let us know, as we’re not experts in this area.



          • 2. Re: HIPAA Compliance and Data Encryption in FormsCentral
            LegendSupport Level 1

            Thanks Genevieve


            I do hope you can obtain some better answers soon - it woud help our assessment enormously (I see this query has generated over 100 views.. I imagine it's on a few people's requirements lists).


            Clarification - my query is not about the 'tool/software' itself, but more in relation to the platform/hosting... predominantly this issue relates to the security and privacy of DATA.. patient data...


            I would appreciate responses to each of my 4 questions, but, if Q3 is addressed firstly, that would also help greatly.


            Look forward to hearing from Adobe soon.


            Kind regards

            • 3. Re: HIPAA Compliance and Data Encryption in FormsCentral
              Genevieve Laroche Adobe Employee

              The HIPAA Security Rule is a standard designed to protect patient information in the electric age. FormsCentral is a service that is designed to create and provide web based forms for business and casual users to present to the public. As such, Adobe has taken "reasonable" precautions against data piracy, but these are at a business level and not meant to be utilized in a regulated industry, and as noted before, it is not intended for use with personally identifiable or confidential information. For example while forms can be created and presented over HTTPS, they can also be created and shared via unsecured HTTP, where none of the data in transit would be encrypted. Also, the form results can be aggregated into a document/spreadsheet and not only are all of the results in clear text, but the results document could be shared with anyone as there are no controls placed on it.  Similarly, FormsCentral does not have a role based access schema and form field controls, so a form could be created that asks for Personal Information and there would be no security controls around securing, encrypting or limiting that data. So again, while Adobe Forms Central performs above and beyond when looking at it from a standard business context, there are aspects that are not in line with HIPAA security standards.