This information is intended to help Adobe customers answer their questions regarding Adobe’s HIPAA-Ready Services. It does not constitute legal advice. Merchants should consult with their own legal counsel to understand their obligations under HIPAA and the appropriate use and configuration of Adobe’s products.
The Health Insurance Portability and Accountability Act (HIPAA) is the key federal healthcare privacy law in the United States and is enforced by the U.S. Department of Health and Human Services (HHS). HIPAA applies to Covered Entities (such as healthcare providers, insurers, and clearinghouses) and Business Associates (such as those entities that provide services to covered entities). HIPAA requirements are set across three separate rules: Privacy Rule, Security Rule, and Breach Notification Rule. Adobe acts as a Business Associate for certain products, which Adobe classifies as “HIPAA-Ready Services.” Data regulated under HIPAA is referred to as Protected Health Information or PHI. PHI is a subset of health information that (1) is created or received by a healthcare provider, health plan, or healthcare clearinghouse, (2) relates to the past, present, or future physical or mental health or condition of an individual, the provision of healthcare to an individual, or the past, present, or future payment for the provision of healthcare to an individual, and (3) identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. The HIPAA Privacy and Security Rules require that a Covered Entity obtain written assurances from a Business Associate in the form of a Business Associate Agreement, or BAA, requiring the Business Associate to safeguard the privacy and security of the Covered Entityʼs PHI.
Adobe Commerce HIPAA-Ready has additional features and functionalities that allow merchants to comply with their respective HIPAA obligations. You can install the Adobe Commerce HIPAA-Ready (
magento/hipaa-ee) module to your Adobe Commerce on cloud infrastructure. There are also some features that must be disabled to be compliant with HIPAA.
These materials are intended for informational purposes only. Provision of this information does not entitle the recipient to
any contractual or other rights. While efforts have been made to assure the accuracy of the information as of the
date it has been provided, no representation is made that such information is accurate and complete, and Adobe undertakes no
obligation to update this information as the law or Adobe’s products change. Also, this document is not to be distributed to
any party other than the intended recipient without written consent from Adobe.
HIPAA-readiness on Adobe Commerce has the same system requirements as Adobe Commerce with the additional requirements:
Adobe’s HIPAA-Ready Services is technically a composer metapackage
magento/hipaa-ee that contains links to special modules. This metapackage resides in the repository repo.magento.com.
To be able to install
magento/hipaa-ee metapackage, you must have access to it. For key generation and obtaining the necessary rights, refer to Get your authentication keys.
Check the environment where you will install the package and make sure that it meets the general system requirements.
Add the metapackage
magento/hipaa-ee to the composer configuration.
The simplest way is by using the composer CLI. For example:
composer require magento/hipaa-ee
If Adobe Commerce is not yet installed, you can start the installation (follow the Installation instructions).
If Adobe Commerce is already installed, then after downloading modules, run
bin/magento setup:upgrade command and then follow the recommendations.
When this command is running, the newly downloaded modules are enabled, and the scripts to install them are launched. To learn more about module management, see Enable or disable modules.
After the installation or updating process is finished, you should check whether the
Hipaa* relevant modules have been included.
Run the command:
If the HIPAA composer package was added correctly, you see the HIPAA modules in the output of the command. For example:
List of enabled modules:
<truncated for brevity>
<truncated for brevity>
All modules prefixed with
Magento_Hipaa must be in the enabled modules section.
magento/hipaa-ee package introduces some changes and enhancements to the base Commerce product. The following sections provide details about these changes and how they alter the base product.
Audit Logging is a HIPAA requirement. In Adobe Commerce, the Action Logs feature records every change made by an Admin user who works in your store. To meet HIPAA requirements about Audit Log, there are changes to the feature to record all Admin user and customer actions performed through the Admin UI and through API calls.
The Action Logs report grid (System > Action Logs > Report) is modified to accommodate customer actions performed through the Admin UI and API.
Two additional columns:
Admin UI /
Customer UI /
REST API /
SOAP API /
Rename Username to Client Identifier
Rename Full Action Name to Target
This feature is not available because all actions must be recorded by default.
Enhancements to import/export features are focused on improving the administrative experience and providing better visibility into user actions.
These enhancements do not alter Import/Export core logic; rather, they extend the functionality to offer more comprehensive logging and improved data attribution. The fundamental functionality of import/export remains unchanged. Users can continue to use the existing features and workflows without any disruption.
One of the key improvements within the import/export features is the enhanced logging of administrative actions. This introduces the capability to delve deeper into activities associated with data import/export, contributing to improved tracking and auditability. The following actions are now logged and reflected in the System > Action Logs > Report grid:
To empower Admin users with more informative grids, there are several enhancements to the display of data and filtering and sorting capabilities:
None of the SaaS services offered for Adobe Commerce are available under the HIPAA-readiness offering. This includes, but is not limited to:
The Advanced Reporting service setting is disabled by default to prevent PHI from being used for analysis and reporting, but can be enabled by the merchant at their own risk.