Choosing a HIPAA Compliant DXP or CMS

We have been building digital marketing solutions for healthcare organizations for 3 decades. Over this time, the advice around personal data was pretty cut and dry. Simply listen to the lawyers. Stay as far away from any PHI or PII. Blanket statement: no. It was radioactive. Easy enough. Easy kept you safe. Easy was comfortable. Easy also meant you had no data or insights or anything. It also meant leaving revenue, patient acquisition, engagement, and marketing opportunities on the table.

Then your competitors started doing it, and we were helping them.

So, the game has changed but your lawyer's answers didn't. Patients expect personalized experiences. So, other healthcare and hospital systems are already doing it? The smart ones are doing it responsibly, with compliance baked into their solutions without a huge headache. That is the difference between playing defense and actually growing. We are helping healthcare brands make that shift. Here is how.

HIPAA and BAA

Healthcare digital experiences live under different rules than most other industries. Regulations like HIPAA change how we think about platforms, data, and compliance. Picking the right CMS or DXP is not only about performance or personalization. It is about protecting patient information and making sure you have the right contractual safeguards in place.

That is where the Business Associate Agreement comes in. Without a signed BAA, you cannot be confident that your vendor is ready to handle PHI, even if their technology claims to be secure.

The Shortlist of HIPAA Ready DXPs

Nishtech specializes in DXP Evaluations and recommendations (link). When it comes to Healthcare, there are two giant checkboxes that need to be checked. Is the platform HIPAA Ready? Will the platform vendor sign a BAA? We have done the homework for you. We have experience in every platform in the latest Gartner Magic Quadrant for Digital Experience Platforms and narrowed the field to vendors that publicly state HIPAA readiness and also provide a BAA.

Here is the shortlist.

Adobe Experience Cloud
Adobe offers a set of HIPAA Ready services, including AEM Managed Services, AEM as a Cloud Service, Adobe Commerce with healthcare add-ons, Real-Time CDP, Marketo Engage, and Workfront. For these services, Adobe will execute a BAA with covered entities. Adobe HIPAA Ready

Optimizely
Optimizely has designated its CMS and experimentation services as HIPAA Ready. The company supports healthcare organizations as a Business Associate and will sign a BAA. Optimizely Compliance

Acquia
Acquia offers a HIPAA program for Acquia Cloud Platform Enterprise. This includes the technical safeguards required under HIPAA and the company will execute a BAA as part of the offering. Acquia HIPAA

Sitecore
Sitecore has extended HIPAA compliance to several of its composable products, including XM Cloud, Content Hub, CDP, and Personalize. For these, Sitecore will act as a Business Associate and sign a BAA. Sitecore HIPAA Readiness

Progress Sitefinity Cloud
Sitefinity Cloud is marketed as HIPAA compliant and Progress will provide a BAA. This makes it a strong option for healthcare organizations that want a mid-market platform. Progress Sitefinity Compliance

There are of course others, but we narrowed this article down to the Gartner MQ Platforms

DXPs Without Public HIPAA / BAA Confirmation

• Contentful – No HIPAA program and support docs state they do not sign BAAs.
• Contentstack – No public HIPAA statement or BAA commitments available.
• Magnolia – No HIPAA readiness information or BAA references.
• CoreMedia – No published HIPAA compliance or BAA offering.
• Kentico – Mentions HIPAA conceptually in marketing, but no formal HIPAA program or BAA available.
• Builder.io – No HIPAA or BAA documentation.
• Uniform – No HIPAA or BAA information found.
• Pimcore – Claims support for HIPAA compliance in enterprise, but no clear BAA commitment published.
• HCLSoftware (DX) – Notes general security assessments, but no explicit HIPAA program or BAA reference.
• Liferay – No explicit HIPAA statement or BAA availability.
• OpenText Experience Cloud – HIPAA language appears in healthcare solution marketing, but no formal HIPAA Ready list or BAA documentation verified.
• Squiz DXP – States explicitly it is not HIPAA accredited.

Why the BAA is Critical

A platform can call itself HIPAA compliant, but without a signed BAA you are exposed. The BAA is what holds your vendor accountable for safeguards, breach notification, subcontractor compliance, and data handling. It makes HIPAA compliance enforceable.

When evaluating platforms, do not stop at the marketing site that is just content, just brochureware. Confirm that the services you are purchasing are listed as HIPAA Ready and that the BAA language covers them. This is not a formality. It is your best protection.

What This Means for Healthcare Leaders

If you are evaluating DXPs or CMS platforms, start by asking two simple questions.

1. Is your platform officially HIPAA Ready?
2. Will the vendor sign a BAA?

If the answer is yes to both, we answered your biggest question, where do you start?

The shortlist is clear. Adobe, Optimizely, Acquia, Sitecore, and Sitefinity Cloud have invested in HIPAA readiness and will contractually stand behind it.

Other vendors may say they can operate in healthcare environments, but without public commitments and a BAA, it is not worth the risk.

Now let’s talk about your other questions...

Healthcare digital strategy requires more than great design or personalization. It requires a foundation of compliance. The right platform will give you both. Pick from the vendors that will sign a BAA and you will be able to build confidently, knowing that your digital experiences protect patients as well as engage them.