HIPAA Compliance in the World of Salesforce

Salesforce is a leading platform in the field of customer relationship management, making it an invaluable tool for many industries and organizations.

03:55 17 December 2024

Salesforce is a leading platform in the field of customer relationship management, making it an invaluable tool for many industries and organizations. Due to the highly varied and versatile nature of Salesforce, it is also often subject to compliance regulations and frameworks that might be applied to their clients – including GDPR, SOX, and PCI DSS. HIPAA is another example of such a compliance framework, and it is going to be the primary target here.

HIPAA was established in 1996 as a national standard for applying specific security standards to sensitive health-related information. The primary point of HIPAA is to safeguard the so-called Protected Health Information (as well as its digital variant – ePHI). PHI as a data type covers a plethora of different patient-related information, be it medical records, social security numbers, or even something as simple as names or addresses.

Salesforce is also a part of this equation between HIPAA and the companies that fall under it. The platform has a Business Associate status under HIPAA, which is different from the Covered Entity status that regular businesses get. Salesforce’s status as a BA creates a requirement for Salesforce to sign something called a Business Associate Agreement with all of its clients that fall under HIPAA. This agreement is primarily used to outline what exactly Salesforce does in order to protect ePHI, as well as what responsibilities are on the client’s shoulders.

The BAA is often used as an outline of what Salesforce does for ePHI protection, and there are several examples of services that can be configured to work in a HIPAA-compliant manner:

Salesforce Shield can offer enhanced security features – Platform Encryption, Field Audit Trail, etc.

Hyperforce enables the public deployment of protected information in public clouds without the risk of data being compromised. Salesforce Health Cloud is a dedicated service that revolves around healthcare capabilities, including care coordination and patient data management, among other features.

A variety of core services, including Service Cloud, Sales Cloud, and a specific feature list from Marketing Cloud.

All these services require proper configuration and careful implementation in order to remain compliant with HIPAA afterward. It should also be noted that not all Salesforce capabilities can be compliant with HIPAA, even with proper configuration, and the BAA should always cover the kinds of features that are limited because of the compliance rules.

In order to maintain HIPAA compliance on its own side, Salesforce can provide a number of useful features, including:

RBAC capabilities for improved user permission management

Comprehensive audit trails to track both access and modifications to data

Data encryption capabilities both at-rest and mid-transit

Support for multi-factor authentication in order to protect user identity

With that being said, it is absolutely up to Salesforce organizations themselves to perform specific actions in the environment in order to ensure HIPAA compliance on their side, including actions such as:

Implementing session timeout capabilities and IP range restrictions

Performing regular security audits, along with constant system activity monitoring

Establishment of secure backup and recovery procedures

Creating robust user access management rules in order to limit access to PHI for authorized personnel only

Configuring encryption settings in a proper manner using Salesforce Shield’s capabilities

Reviewing sharing settings on a regular basis and updating them when necessary

Enabling session management and two-factor authentication

At the same time, it is not uncommon for organizations to face a variety of challenges when attempting to maintain HIPAA compliance in Salesforce. For example, the massive market of AppExchange apps, which is often considered one of the biggest advantages of Salesforce, becomes a lot more challenging in the context of HIPAA. 

It would be necessary to perform careful security assessments and create separate BAAs in order to make sure that a single AppExchange application would be able to work in a company’s environment without becoming a threat to the entire company’s compliance with HIPAA.

There is also a lot of confusion around Salesforce’s shared responsibility model in regard to compliance. Even though Salesforce itself does provide a selection of capabilities that can assist companies with establishing HIPAA compliance, it is still the responsibility of a Salesforce org to configure all the internal functions while also ensuring third-party compliance and conducting employee training. The latter is just as important as any other aspect of compliance with regulatory frameworks because it reduces the possibility of a human error that might compromise PHIs in some way.

It is true that Salesforce compliance with HIPAA can be improved using additional security solutions with data backup capabilities, archiving, advanced security measures, and so on. However, it should also be noted that any third-party solution would also have to meet HIPAA requirements and be covered with appropriate BAAs to remain compliant.

Successful compliance with HIPAA in Salesforce requires a clear and concise understanding of both the capabilities and limitations of the platform in this regard. It is up to each separate organization to carefully consider security features while investing in regular audits and user access management. Luckily, Salesforce offers a selection of features that can assist with HIPAA compliance in one way or another, and the existing capabilities may also be expanded with third-party solutions, if they themselves are compliant with the same regulatory framework.