HIPAA

Overview

HIPAA (Health Insurance Portability and Accountability Act) is a federal law in the United States that governs the handling and security of protected health information (PHI). HIPAA applies to covered entities (such as healthcare providers and health plans) and business associates, who handle PHI on their behalf. Covered entities and business associates must sign a business associate agreement (BAA) when sharing PHI, ensuring compliance with HIPAA regulations.

While there's no formal HIPAA certification, organizations must implement safeguards to process PHI according to their role and risk level. commercetools can act as a business associate to covered entities or other business associates once a BAA is in place.

commercetools ensures HIPAA compliance through several measures:

• Third-party security risk assessments, including a formal external audit for HIPAA compliance, SOC 2 Type 2, HDS certification, Cyber Essentials, and TISAX Level 2.
• Following established frameworks and standards such as HITRUST CSF, NIST 800-30 Rev 1, and an ISO 27001 certified information security management system.
• Direct alignment with the guidance set by the United States Department of Health and Human Services Office for Civil Rights.
• Technical, administrative, and physical controls that employ the principle of minimum necessary authorization and access to systems and data.
• Requiring all employees to complete HIPAA and HDS training with a mandatory test.

Scope

HIPAA compliance can be activated for production Projects in the North America - Google Cloud, Iowa Region. PHI can be processed using features that are in general availability in the following Composable Commerce APIs, in both REST and GraphQL formats:

• Business Units
• Carts
• Custom Objects
• Customers
• Discount Codes
• Orders
• Payments
• Quotes
• Quote Requests
• Reviews
• Shopping Lists
• Staged Quotes

Submit a HIPAA compliance request

To begin processing PHI data, follow these steps:

1. Contact your commercetools representative to establish a formal BAA with commercetools. You must agree to the conditions outlined in the Accceptable Use Policy and any other necessary contractual agreements.

2. Submit a support ticket to request approval and initiate the migration of your Project. Migration involves transferring the Project's data to a specialized database segment, typically completed within 1 to 5 days.

Acceptable Use Policy

The commercetools HIPAA Acceptable Use Policy applies to all transmission of PHI to commercetools Composable Commerce (also referred to in this Acceptable Use Policy as the "Service").

Capitalized terms not defined herein are used as defined in the Business Associate Agreement, the Master Service Agreement, and the Order Form.

The Customer is fully responsible for their compliance with HIPAA and ensuring that PHI data is processed in compliance with the BAA and Acceptable Use Policy established with commercetools.

PHI transmitted to the commercetools Service by Customer in strict compliance with this policy and the limitations it imposes is permitted, and the definition of Prohibited Data as defined in the Master Service Agreement is adjusted accordingly.

1. Customer must transmit PHI to Composable Commerce to the following APIs only: Business Units, Carts, Custom Objects, Customers, Discount Codes, Orders, Payments, Quotes, Quote Requests, Reviews, Shopping Lists, Staged Quotes.

2. Customer must not transmit PHI to any other part of the Service, including without limitation:

   • APIs other than those listed above
   • Beta features
   • Undocumented APIs or fields
   • Frontend
   • Checkout
   • Connect

3. Customer Projects must be hosted in Google Cloud in the United States Region.

4. Customer must subscribe to Audit Log Premium.

5. Customer must not use Me endpoints.

6. Customer may only transmit PHI to the Service on Projects that have been approved for such use by commercetools.

7. Customer must not use the Service for time-sensitive lifesaving and safety-related functions, such as providing critical services in an emergency department.

8. Customer shall have sole responsibility for access to the Service by its employees, contractors, and customers, including establishing access controls and monitoring, as well as for detecting unauthorized access to and snooping on the Service and PHI.

9. Customer shall not include any PHI in support tickets or other communications with commercetools.

This Acceptable Use Policy may be amended at any time by commercetools unilaterally to maintain regulatory compliance. Any such amendments will be communicated transparently, and commercetools will take commercially reasonable efforts to minimize impact on Customer’s use of the Service.