It is HIPAA compliant to use Marketo Engage to create, collect, maintain, and transmit Protected Health Information (PHI) if the automated marketing platform is part of an Experience Cloud for Healthcare subscription, if the subscription is supported by a Business Associate Agreement with Adobe, and if Marketo Engage is configured to comply with the appropriate Security Rule safeguards. Even when these conditions are met, it may also be necessary to ensure staff are HIPAA compliant to use Marketo Engage.
Adobe Marketo Engage is an automated marketing platform that can “engage consumers with highly personalized digital experiences that empower them to actively manage their health and wellness”. To achieve these objectives, it is necessary for covered entities to be HIPAA compliant to use Marketo Engage and enter into a Business Associate Agreement with Adobe before using the automated marketing platform to create, collect, maintain, or transmit PHI.
Will Adobe Enter Into a Business Associate Agreement?
Adobe will enter into a Business Associate Agreement making it HIPAA compliant to use Marketo Engage, but only with covered entities and business associates that subscribe to the Experience Cloud for Healthcare. This is because the “HIPAA-Ready Services“ offered on the Experience Cloud for Healthcare – which include Marketo Engage – have the security measures in place and the capabilities to support HIPAA compliance.
However, rather than agreeing to each individual customer’s Business Associate Agreement, Adobe has a “one-size-fits-all” Agreement with standard terms and responsibilities for all customers. This is not unique among large software providers (AWS, Microsoft, and Google do the same), but it is important that covered entities and business associates review and understand the terms of Adobe’s Business Associate Agreement.
Configuring Marketo Engage to be HIPAA Compliant
Although the Marketo Engage platform has the security measures in place and the capabilities to support HIPAA compliance, it is still necessary to configure the measures and capabilities to be HIPAA compliant. For most organizations, this will mean setting up access controls, automatic logoff, and data backups. If the Marketo Engage platform is deployed as a standalone marketing solution that sends PHI to other internal systems, it may also be necessary to configure encryption controls.
Adobe provides an implementation guide to help organizations configure the platform to be HIPAA compliant, but covered entities are advised to conduct risk assessments before deploying Marketo Engage to identify potential vulnerabilities or threats to the confidentiality, integrity, or availability of PHI. Depending on the purposes the platform is going to be used for, it may be necessary to subscribe to Marketo Engage add-ons or additional Adobe compliance services.
Ensure Staff are HIPAA Compliant to use Marketo Engage
As mentioned in the introduction, even when the above conditions are met, it may also be necessary to ensure staff are HIPAA compliant to use Marketo Engage. This is because, not only does the Security Rule have to be complied with when conducting marketing campaigns, but also the Privacy Rule if PHI is going to be disclosed by an organization in a marketing campaign.
The Privacy Rule prohibits disclosures of PHI in marketing campaigns except when the disclosure is authorized by the subject of the PHI or the marketing campaign fulfils the definition of an exempted activity in §164.501. There are also exemptions to the marketing standards when post marketing surveillance is conducted in relation to an FDA regulated product or activity.
To ensure staff are HIPAA compliant to use Marketo Engage, it is advisable to provide additional HIPAA training to users. In this regard, if any covered entities or business associates are unclear on the HIPAA marketing standards – or require any further assistance with regards to making Marketo Engage HIPAA compliant – it is recommended you speak with an independent compliance professional.