Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

Is Salesforce Marketing Cloud HIPAA compliant? (2023 update)

Is Salesforce Marketing Cloud HIPAA compliant? (2023 update)

Last updated: 10 January 2023

Customers and prospects continue to ask us whether they’re able to use Salesforce Marketing Cloud in a HIPAA compliant manner.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud services in this sector.

We first wrote this post in April 2019. Today we will revisit if Salesforce Marketing Cloud offers HIPAA compliant email for marketing or not.

 

Salesforce Marketing Cloud

Salesforce Marketing Cloud (SFMC) is a digital marketing automation platform offered by Salesforce. It provides a suite of tools for businesses to create and manage marketing campaigns across various channels, including email, social media, mobile, and the web.

The platform allows users to segment and target specific customer groups, automate personalized communication, and track the effectiveness of marketing efforts.

Prior to its acquisition by Salesforce in 2013, the company was founded in 2000 under the name ExactTarget. It was renamed to Salesforce Marketing Cloud in 2014.

 

2019 analysis: Salesforce Marketing Cloud and the business associate agreement

We’ve previously talked about how a business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.

When we first wrote this post in 2019, we learned via the Salesforce HIPAA Compliance page that Salesforce Marketing Cloud was covered by Salesforce in its BAA. When we read the fine print however, we saw that while Salesforce was willing to sign a BAA with customers for use with Salesforce Marketing Cloud, the scope of the BAA was limited to data stored at-rest in its system.

In other words, data uploaded to Salesforce Marketing Cloud was covered by the Salesforce BAA. However, when customers actually send email, its transmission over the internet from Salesforce Marketing Cloud was not covered by the Salesforce BAA. This was obviously quite a limited scope of coverage.

 

Updated for 2023: Salesforce Marketing Cloud and the business associate agreement

When we took a fresh look at the Salesforce HIPAA Compliance page, we were directed to the Business Associate Addendum Restrictions page for more information.

See screenshot below:

Salesforce_Marketing_Cloud-HIPAA_Compliant-2023-img1-1024x169
Screenshot from https://compliance.salesforce.com/en/hipaa

When we visit the BAA Restrictions and HIPAA Covered Services page, Salesforce lays out a list of solutions that it refers to as, “HIPAA Covered Services.”

As we went down the list, we did not find any mention of Salesforce Marketing Cloud.

We did however, find Marketing Cloud Personalization as being covered by the current Salesforce BAA:

Salesforce_Marketing_Cloud-HIPAA_Compliant-2023-img2-1024x161

When we dug into Salesforce Marketing Cloud Personalization, we learned the following:

  • The technology was acquired in February 2020 when Salesforce bought Evergage. Shortly after, Salesforce rebranded the Evergage platform as Marketing Cloud Personalization.
  • Salesforce Marketing Cloud Personalization is a component of Salesforce Marketing Cloud. It does not represent the entire platform.

In a nutshell, based on analyzing the latest versions of the Salesforce HIPAA Compliance and Business Associate Addendum Restrictions pages, we are left to conclude that Salesforce Marketing Cloud is no longer offered as a HIPAA Covered Service by Salesforce.

 

Is Salesforce Marketing Cloud HIPAA compliant?

The BAA is a key component to HIPAA compliance between a covered entity and a business associate.

In 2019, we saw that Salesforce did include Salesforce Marketing Cloud as being covered under its BAA. The scope of coverage was quite limited.

When we revisited the topic in 2023 however, we learned that Salesforce Marketing Cloud is no longer listed as a “HIPAA Covered Service” by Salesforce. 

We are therefore left to conclude that as of January 2023, Salesforce Marketing Cloud is not HIPAA Covered Service by Salesforce and is therefore not HIPAA compliant.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.