HIPAA readiness on Adobe Commerce

Adobe Commerce HIPAA-Ready

The Adobe Commerce HIPAA-Ready extension adds additional features and functionalities to Adobe Commerce installations that allow merchants to comply with their respective HIPAA obligations.

The Adobe Commerce HIPAA-Ready extension, magento/hipaa-ee is available for Adobe Commerce on cloud infrastructure or Adobe Managed Services projects. The Adobe Commerce HIPAA-Ready installation process disables some native services and features to comply with HIPAA requirements. See Disabled services and features.

These materials are intended for informational purposes only. Provision of this information does not entitle the recipient to any contractual or other rights. While efforts have been made to assure the accuracy of the information as of the date it has been provided, no representation is made that such information is accurate and complete. Adobe undertakes no obligation to update this information as the law or Adobe’s products change. Also, this document is not to be distributed to any party other than the intended recipient without written consent from Adobe.

System requirements

The following table shows the compatibility between versions of Adobe Commerce and the HIPAA-ready extension:

Installation

Prerequisite

Install the latest version of Adobe’s HIPAA-Ready Services extension (magento/hipaa-ee) on an instance that is running Adobe Commerce version 2.4.7-p5 or 2.4.6-p3 through 2.4.6-p8. The extension is delivered as a composer metapackage from the repo.magento.com repository. The metapackage includes the collection of modules that enable the HIPAA capabilities for an Adobe Commerce instance.

1. On your local workstation, change to the project directory for your Adobe Commerce on cloud infrastructure project.

   NOTE

   For information about managing Commerce project environments locally, see Managing branches with the CLI in the Adobe Commerce on Cloud Infrastructure User Guide.

2. Checkout the environment branch to update using the Adobe Commerce Cloud CLI.

   magento-cloud environment:checkout <environment-id>
   

3. Add the metapackage magento/hipaa-ee to the composer configuration using the composer CLI.

   composer require "magento/hipaa-ee" --no-update
   

4. Update package dependencies.

   composer update "magento/hipaa-ee"
   

5. Add, commit, and push the updated code to the cloud environment.

   git add -A
   git commit -m "Add HIPAA-Ready Services modules"
   git push origin <branch-name>
   

   Pushing the updates initiates the Commerce cloud deployment process to apply the changes. Check the deployment status from the deploy log.

Verify installation

After the updates are deployed, verify that the Hipaa* extensiion is installed

1. Use SSH to log in to the remote cloud environment.

   magento-cloud ssh
   

2. From the command line, use the Adobe Commerce CLI to check the module status.

   bin/magento module:status
   

3. Verify that the HIPAA modules are included in the list of enabled modules:

   List of enabled modules:
   <truncated for brevity>
   Magento_HipaaAnalytics
   Magento_HipaaCheckout
   Magento_HipaaLogging
   Magento_HipaaScheduledImportExport
   Magento_HipaaAdminLogging
   Magento_HipaaCustomerLogging
   Magento_HipaaNewsletter
   Magento_HipaaImportExport
   Magento_HipaaApiLogging
   Magento_HipaaSales
   Magento_HipaaCustomer
   <truncated for brevity>
   

   All modules prefixed with Magento_Hipaa must be in the enabled modules section.

Feature enhancements for HIPAA-readiness

The magento/hipaa-ee extension introduces some changes and enhancements to the base Commerce product. The following sections provide details about these changes and how they alter the base product.

Action Logs

Audit Logging is a HIPAA requirement. In Adobe Commerce, the Action Logs feature records every change made by an Admin user who works in your store. To meet HIPAA requirements for the Audit Log, the feature has been updated to record all Admin user and customer actions performed through the Admin UI and through API calls.

Action Logs also capture events when Adobe services access your store data. You can identify these events by filtering on the “Data Sent Outside” Action in the Action Logs report.

Action Logs report

The Action Logs report grid (System > Action Logs > Report) is modified to accommodate customer actions performed through the Admin UI and API.

1. Added two columns:

   • Source: Displays where the action was performed.
     Values: Admin UI / Customer UI / REST API / SOAP API / GraphQL API
   • Client Type: Displays the client type.
     Values: Customer | Admin | Integration

2. Renamed the Username colunn to Client Identifier

   • Client Identifier: Displays the login ID for the user who performed the action.
     Values:
     • an email if Client Type is Customer
     • a username if Client Type is Admin
     • a name if Client Type is Integration

3. Renamed the Full Action Name column to Target

   • Target: Displays the action name.
     Values:
     • an endpoint if Source is a REST API or SOAP API
     • a query or mutation name if a GraphQL API
     • an action name if an Admin UI or Customer UI.

Configure Admin actions for logging

This feature is not available because all actions must be recorded by default.

HIPAA Customer Search Results Restriction

The HIPAA Customer Search Results Restriction functionality in Adobe Commerce ensures compliance with HIPAA regulations by limiting access to Protected Health Information (PHI) and Personally Identifiable Information (PII). This feature restricts the ability to search and view customer records based on user roles, ensuring that only authorized users can access this information.

Key Features

• Search Restrictions: Users without the necessary roles cannot search for or view customer records.
• Mandatory Search for Access: Unlike the default Adobe Commerce behavior, it is not possible to see customer information without performing a search. This ensures that users must know specific details about a customer to locate their information.
• Limited Search Results: Search results matching the criteria are limited to 10 records, ensuring that only a manageable number of records are displayed at a time.
• Minimum Number of Filters: Users must apply a minimum of three filters (e.g., email, lastname, and state) to perform a search, ensuring that searches are specific and targeted.
• Filter Notifications: When search restrictions are enabled, users are notified to apply filters to refine their search results.

Configuration

The configuration for limiting the number of customers in the search results is located in the admin panel under Stores > Configuration > Advanced > Admin > Admin Grids. This configuration is enabled by default when the hipaa-ee extension is installed.

• Limit Number of Customers in Grid: This setting allows you to enable or disable the limitation on the number of customers displayed in the grid search results.
• Customer Grid Search Result Limit: This setting specifies the maximum number of customer records that can be displayed in the grid search results.

Affected Functional Areas

Customer grids on the Admin Create Order page (Sales > Orders > Create New Order) and Customers page (Customers > All Customers) are affected by the search results restriction functionality.

• Filters are opened by default.
• Users must apply a minimum of three filters to perform a search.
• Search results are limited to 10 records by default.
• If there are more records matching the search criteria, notifications will inform users about the result limit and the need to refine their search.
• Grid pagination is not available.
• Previous search results and filters applied are not saved when navigating away from the page.

The search results restriction functionality also applies to the REST API for customer search (/V1/customers/search).

• Without filters applied or with insufficient filters, the API returns an error message indicating that the required number of filters are needed to perform a search.
• When sufficient filters are applied by authorized users, the API returns results within the specified limit.
• When results are limited, a message is added to the response indicating the total number of records found and the current applied limit.

Import and export features

Enhancements to import and export features are focused on improving the administrative experience and providing better visibility into user actions.

Administrative action logging

One of the key improvements within the import and export features is the enhanced logging of administrative actions. This enhancement introduces the capability to delve deeper into activities associated with data import and export, contributing to improved tracking and auditability. The following actions are now logged and reflected in the System > Action Logs > Report grid:

Display enhancements and improved filtering and sorting

To empower Admin users with more informative grids, the HIPAA-Ready service provides several enhancements to display, filter, and sort data.

Import history (System > Data Transfer > Import History)

• Enabled filtering for all columns except for Imported File, Error File, Execution Time, and Summary.

Export (System > Data Transfer > Export)

• Added an ID column.
• Added a Requested At column (date and time when export was requested).
• Added a User column (username of an admin who did the request).
• Removed an Action column.
• Moved the Download link to a File name column (like the Import History grid).
• Disabled the action responsible for deletion of an exported file (to improve tracking).
• Enabled sorting for all columns except File name.
• Enabled filtering for all columns.

Scheduled imports and exports (System > Data Transfer > Scheduled Import/Export)

• Added an ID column.
• Added a Scheduled At column (the date and time when the import or export was scheduled).
• Added a User column (the username of an Admin user who scheduled the import or export).

HIPAA-ready services and tools

This section describes HIPAA-ready Adobe services that are available to use with the HIPAA offering for Adobe Commerce. It also describes tools that you can use to help monitor key security and compliance controls for your store.

Adobe Commerce Services

The following table identifies Adobe Commerce services that are available for the HIPAA-readiness offering. These services include, but are not limited to:

Tools

The Security Scan Tool for Adobe Commerce helps you monitor your store to ensure that all required security controls are enabled and operational. In addition to the standard security checks, Adobe has enhanced the tool to display HIPAA-specific checks for customers using the HIPAA offering for Adobe Commerce. The HIPAA checks in the Security Scan Tool are designed to ensure that:

• Auditing modules are not disabled
• Two-factor authentication (2FA) is not disabled
• Marketing features are disabled
• All installed extensions match a predefined allowlist
• No unsupported Adobe services are installed

You can configure the tool to send you email notifications with details from scheduled scans or manually view reports.

Disabled features

To comply with HIPAA requirements, some features supported by Adobe Commerce are either not available or disabled by default. Merchants have the option to re-enable or use these features at their own risk.

The following features are disabled by default in the HIPAA-readiness module. Merchants can enable any of these features at their own risk.

• Transactional email—SendGrid is disabled by default because the service is non-HIPAA-ready. Adobe Commerce provides an integration option that you can use with your own AWS Simple Email Service account. Contact your Customer Technical Account Manager or Adobe Commerce Support for configuration details.

• Guest checkout—This feature presents a potential risk for various aspects of HIPAA including logging, access control, PHI hygiene and lineage, and potentially more.

• Newsletter feature—This feature is disabled to prevent PHI being used in a marketing context.

• Advanced Reporting service setting—This configuration setting is disabled to prevent PHI from being used for analysis and reporting.