Before I begin, I just want to caveat everything with the fact that HIPAA is a complex regulation open to interpretation, and in the end your legal and compliance teams need to be comfortable with how you handle data and the risk associated with those methods. With that being said, I’ve had a lot of experience with healthcare companies, both payers, providers and life sciences organizations dealing with HIPAA regulations over the last decade and having seen the direction Sitecore has been moving to support healthcare companies, I wanted to share some of that knowledge and information.
Defining Protected Health Information (PHI)
When it comes to evaluating your DXP solutions against HIPAA, how you collect, process, and manage PHI is the central concern. Defining PHI is actually more complex than you may think. The HIPAA privacy rule defines PHI as individually identifiable health information that is transmitted or maintained in any form or medium (electronic, oral, or paper) by a covered entity or its business associates, excluding certain educational and employment records.
But what does identifiable mean? There was debate on whether an IP address was identifiable until HHS made it clear that it was in a memo about how website visitor tracking data is to be handled was published in late 2022. The other part of the definition is what constitutes “health information.” While there could be clear cut cases when visitors are filling out forms on your website when they are providing “health information,” there could be other cases that are less clear cut: for example using the find a doctor feature of your site to identify a specialist, or browsing conditions or specialty related pages on your site.
There is probably not going to be clear cut guidance on how to answer these questions from HHS, so organizations will be left to evaluate the risk of managing this kind of data themselves. This is why more cautions organizations have removed analytics tracking tools like google analytics. But it’s important to realize it’s not just the software we choose that allows us to deliver HIPAA compliant solutions to patients.
There really isn’t such a thing as HIPAA compliant software.
HIPAA is a set of rules around how to process and deal with sensitive health data. There are plenty of details on how those rules guide organizations on HHS’s website.
While software can help organizations adhere to those rules, it is still up to the organization to put the processes in place to remain HIPAA compliant. Take Sitecore XP as an example. It supports an extensible “Experience Database” component that tracks visits to websites it hosts and allows you to store data you capture from visitors to enable personalization. While Sitecore XP provides the capability to manage and secure that data, it is up to the organization using that software to do it properly using the available tooling and configuration as well as putting the necessary processes in place to manage that data in order to be HIPAA compliant.
Things get more complicated when you have partners or vendors with access to systems that manage health data. This is when you need to ensure you have a Business Association Agreement (BAA) contract in place. The BAA provides assurances that the “associate” organization will protect the PHI of your patients, and you require them to take specific actions and restrict how they may use or disclose PHI. Perficient typically signs BAA’s with clients where the project work will give them access to such data as part of a project delivery.
Sitecore’s Platform DXP Offerings including Sitecore XP are installed software, meaning you take Sitecore’s software and install it on your servers. Those servers could be on premise (in your own network) or in the cloud, but Sitecore never had access to your environments or your data. This means you do not need a business associate agreement (BAA) with Sitecore, since they don’t have access to your data.
XM Cloud Roadmap Guide
XM Cloud is the future of enterprise content management offerings. The new sites, pages, and components tools offer an efficient content author experience that is not available with other CMS systems.
Sitecore Managed Cloud offering consists of the Platform DXP offering deployed to a dedicated Azure subscription that is managed by Sitecore. Because Sitecore actively manages the environment, they have access to the underlying data in the system. If you are using Sitecore to store or manage health data, Managed Cloud is probably not going to meet your needs as Sitecore does not sign BAA agreements for its managed cloud offering. There was a time a couple of years ago, when Sitecore was moving toward supporting this, but as it began to pivot to focus on its composable SaaS offerings, it became clear that this was not a focus for them.
Sitecore’s SaaS Offerings
Because Sitecore’s composable solutions are all delivered in a SaaS model, using them to manage any protected health information would require Sitecore to sign a BAA. The good news is that Sitecore has indicated that it will be soon support healthcare customers by signing BAA’s around some of their offerings, namely Sitecore Personalize and CDP starting in July 2024 and XM Cloud by the end of the year. Not only has this been communicated from a general Sitecore perspective, but we have clients who have signed agreements with Sitecore to have them enact a BAA for these products within these timelines.
The relationship between XM Cloud and Sitecore CDP and Personalize make the timing of this support really interesting. XM Cloud includes a “light” version of Sitecore Personalize in XM Cloud to support the Page level personalization and analytics capabilities of XM Cloud. As a matter of fact, if a client has a license to the full versions of Sitecore Personalize and CDP they can use the same conditions and segments they define in Personalize as XM Cloud personalization rules. They can even view their XM Cloud personalization experiences and analytics directly in Sitecore Personalize and CDP. This is because under the covers it is actually using the same instance.
Given this relationship between the products, if you have a license for Sitecore Personalize and a BAA in place with Sitecore in July, you should be covered with your XM Cloud solution because the rest of XM cloud only deals with content management and should not house any data that could be classified as “protected health information.” To illustrate this, I put together the following diagram:
With a BAA on Sitecore Personalize that covers the use of those related features in XM cloud, healthcare organizations can target going live on the platform starting on July 1st. All other data is managed in SaaS services that do not house or touch any protected health data.
You’ll also note that “Vercel” is depicted in the diagram as well. This is an important consideration as your front-end application is what serves the experience to your users, and data typically flows through the front-end application, including any logged visitor activity in the form of IP addresses and pages visited. Vercel has indicated that it will start signing BAA’s as early as March of this year. I have heard similarly that Netlify is also open to signing BAA’s, giving us multiple options for hosting our front-end applications within a headless architecture.
Beyond XM Cloud and Sitecore Personalize
It’s important to note that there are other products that you may need to drive your digital experiences, and Sitecore has nine other SaaS products which probably won’t support BAA any time soon. Search is probably the most glaring gap, as most sites will require search capabilities as part of the experiences they deliver. While there are several options, we have a ton of experience with Coveo, which signs BAA’s and even has a HIPAA version of their platform.
As mentioned earlier, software alone does not make you HIPAA compliant. Having a BAA in place with vendors that manage that software does not make you HIPAA compliant either. But with these tools and agreements, you can implement HIPAA compliant solutions for your patients. Don’t forget to fully take into consideration how you manage protected health information across your solution. Think through how you manage identity and access, how APIs are secured and all the tertiary use cases that can expose data and create vulnerabilities. Do not take it for granted that because the software can be used in a compliant way, that it will prevent you from using it incorrectly.
Perficient is here for you
At the time of this writing (January 2024), Sitecore has a clear path to supporting healthcare organizations interested in using their flagship DXP solution including both XM Cloud, Sitecore Personalize and Sitecore CDP. These tools can help drive future proof rich experiences across multiple channels while protecting the data you need to drive those experiences.