Adobe Journey Optimizer

The Journey Dilemma: Balancing Personalization and Compliance

In healthcare sector, using a customer journey orchestration platform presents a key challenge—how to deliver personalized, engaging experiences while ensuring every touchpoint remains fully HIPAA compliant.

The Reality You Face Daily:

Current Pain Points: - “I can’t use patient diagnosis data in my email campaigns - legal won’t approve it” - “My journey needs clinical data, but marketing team can’t see medical records” - “Every journey takes weeks to get compliance approval” - “I’m afraid to use real patient data for testing and optimization” - “Audit logs are a nightmare - I can’t track who accessed what data when”

What You Actually Need: - Build personalized journeys using sensitive healthcare data safely - Collaborate with clinical teams without exposing restricted information - Get automatic compliance validation as you build - Test journeys with confidence using real data - Generate audit trails automatically for regulatory reviews

How AJO Journey with Adobe Experience Platform Ensure Built-In Compliance

Adobe Journey Optimizer (AJO), powered by Adobe Experience Platform (AEP), features following integrated compliance systems that are automatically applied as you create and manage customer journeys—helping you stay aligned with data usage policies, privacy regulations, and organizational governance standards.

 Field-Level Access Control (FLAC) and Object-Level Access Control (OLAC) protect data while enabling collaboration

1.    Field-Level Access Control (FLAC): See Only What You Need

This feature enables you to set access permissions based on user attributes, allowing you to manage data access for specific teams or user groups. This helps safeguard sensitive digital assets from unauthorized access and enhances the protection of personal data. It is Integrated with Adobe Experience Platform's data governance tools.

Step-by-Step guide:

• We can create a role and link it to specific labels, as illustrated in the image below.

        Permissions > Roles > Create Role > Labels

• These labels can now be applied to XDM fields within a schema, as shown in the image below.

        Schemas > Create Schema > Select XDM field > Apply access and data governance labels

• Now while creating journey, schema field will now only be accessible and usable by users assigned to a role that includes the corresponding label.

Example Use-case:

A healthcare provider wants to orchestrate personalized engagement campaigns for patients, including appointment reminders, wellness content, and chronic care management programs.

They manage large volumes of sensitive patient data—such as health conditions, prescriptions, and insurance details—within Adobe Experience Platform. However, their organization includes multiple departments and regional teams with varying access needs:

• Care Coordinators should only access journey data for patients in their assigned region.
• Marketing Teams can only use non-sensitive attributes like age range, engagement history, and appointment types.
• Clinical Researchers are granted access to anonymized datasets for research purposes.

How FLAC Helps:

With FLAC in AJO, the healthcare provider can:

• Define dynamic access rules based on user roles (e.g., "Care Coordinator", "Marketing Specialist") and attributes like location or department.
• Restrict access to sensitive data such as medical conditions, lab results, or personally identifiable information (PII) only to users who are authorized to handle that data.
• Ensure compliance with HIPAA and internal data governance policies by preventing unauthorized access to protected health information (PHI) during campaign creation or personalization.

For example, if the Marketing Team is building a journey that uses patient fields—either in a personalized message or within a condition expression...

What they see:
patient.profile.firstName → "Mike"
patient.condition.category → "Chronic Disease Management"
patient.medication.adherenceScore → "72%"
patient.preferences.communicationChannel → "Email"

What they DON'T see:
patient.medical.diagnosis → [PROTECTED]
patient.medical.labResults → [PROTECTED]
patient.medical.physicianNotes → [PROTECTED]

2. Object-Level Access Control (OLAC): Journey-Wide Protection

The Object-Level Access Control (OLAC) capability in AJO allows you to define granular permissions over different objects of AJO. It protects sensitive digital assets from unauthorized users

OLAC protects complete journeys while enabling appropriate team collaboration

Step-by-Step guide:

• Assign label to a journey,  as shown in the image below.

        Journeys > Create Journey > Manage Access > Select label

• This journey will then only be accessible to individuals who belong to a group associated with the assigned label.

Example Use-case:

A healthcare organization uses wants to personalized communications for different patient programs (e.g., chronic care management, vaccination reminders, post-discharge follow-ups). These programs are managed by separate regional and functional teams:

• Northeast Region Team manages journeys for patients in New York and surrounding states.
• Southeast Marketing Team runs wellness campaigns for their local clinics.
• National Compliance Team oversees data usage to ensure HIPAA compliance.

Challenge:

All teams operate within the same Adobe Experience Platform instance, but they should not have access to each other’s journeys, segments, or datasets, especially when those contain sensitive medical information.

Without proper object-level control, there's a risk that:

• A Southeast user accidentally edits a Northeast journey.
• Marketing users access clinical datasets not relevant to them.
• Unauthorized users see journeys tied to PHI-based segmentation.

How OLAC Helps:

With Object-Level Access Control (OLAC), the healthcare organization can:

• Assign access labels to objects like journeys, segments, datasets, or schema fields (e.g., "Region: Northeast", "Team: Clinical").
• Restrict visibility and editing rights based on user group assignments and label alignment.
• Ensure that each team only sees and modifies objects relevant to their responsibilities.

3. Data Usage Labeling and Enforcement (DULE): Automatic Policy Protection

What is DULE?

Data Usage Labelling and Enforcement (DULE) is a data governance framework in Adobe Experience Platform (used by AJO) that ensures sensitive data is used appropriately, in compliance with privacy laws and internal policies.

It works by:

1. Labelling data fields with usage restrictions (e.g., "PII", "Sensitive", "Healthcare-Only").
2. Enforcing policies that define what actions users or systems can perform with that labelled data (e.g., "can’t be exported", "only marketing team can use", "can’t be used in email personalization").

It acts as a digital watchdog—automatically preventing inappropriate data use before it happens.

It enables you to manage and enforce data governance policies across your marketing channels by labelling data fields and defining marketing actions for each channel.

After setting up labels and marketing actions, you can create data governance policies that connect these components. For instance, you might establish a policy linking an “ePHI” label to an “email targeting” action, preventing fields marked as “ePHI” from being used in email personalization.

Steps to enforce data governance:

• First create label

      Create Label – Privacy > Policies > Labels > Create label

• Assign label to a XDM schema field

     Schemas > Create Schema > Select XDM field > Apply access and data governance labels

• Create a marketing action

       Create Marketing action - Privacy > Policies > Marketing action> Create marketing action

• Create a data governance policy, Select label and marketing action created in previous step

        Privacy > Policies > Create policy >  Data governance policy

• Now apply this marketing action to channel configuration as shown in below image

      Channels > General settings > Channel configurations

• Now when you will try to use this field in your channel message, you will get a policy violation failure as shown in below image

Example Use-case:

A hospital system is running a campaign to remind diabetes patients about lab appointments. They store sensitive data like medical conditions and test results in Adobe Experience Platform.

Challenge:
The marketing team must not use Protected Health Information (PHI) in personalized email content.

DULE Solution:

• Fields like diagnosis, lab_results, and insurance_number are labeled as “Sensitive: PHI”.
• A DULE policy blocks use of these labels in email personalization.
• When a marketer tries to personalize an email using diagnosis, the system automatically blocks the action and shows a warning.

Result: Compliance with HIPAA; no risk of exposing PHI in public channels.

Conclusion: Transform Compliance from Barrier to Competitive Advantage 

The healthcare industry stands at a pivotal moment. Patient expectations for personalized, digital-first experiences continue to rise, while regulatory scrutiny and privacy concerns intensify. Adobe Journey Optimizer doesn’t just solve this challenge—it transforms it into your competitive advantage. 

What You’ve Gained: 

Confidence in Compliance: With FLAC, OLAC, and DULE working automatically, you can build personalized patient journeys knowing that every touchpoint is HIPAA-compliant by design. 

Speed to Market: No more weeks waiting for legal approval. Your journeys are validated in real-time, allowing you to respond quickly to patient needs and market opportunities. 

Seamless Collaboration: Marketing teams, clinical staff, and compliance officers can work together efficiently, each seeing only the data they need while maintaining complete security. 

Your Next Step: 

The question isn’t whether you can afford to implement HIPAA-compliant journey orchestration—it’s whether you can afford not to.  

Ready to stop choosing? Adobe Journey Optimizer’s built-in compliance features turn regulatory requirements from roadblocks into stepping stones toward exceptional patient engagement. 

Start building HIPAA-compliant journeys today. Your patients deserve personalized care, and your organization deserves compliance confidence. With AJO Journey, you don’t have to choose.