Last updated: 10 January 2023
Customers and prospects continue to ask us whether they’re able to use Salesforce Marketing Cloud in a HIPAA compliant manner.
We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud services in this sector.
We first wrote this post in April 2019. Today we will revisit if Salesforce Marketing Cloud offers HIPAA compliant email for marketing or not.
Salesforce Marketing Cloud (SFMC) is a digital marketing automation platform offered by Salesforce. It provides a suite of tools for businesses to create and manage marketing campaigns across various channels, including email, social media, mobile, and the web.
The platform allows users to segment and target specific customer groups, automate personalized communication, and track the effectiveness of marketing efforts.
Prior to its acquisition by Salesforce in 2013, the company was founded in 2000 under the name ExactTarget. It was renamed to Salesforce Marketing Cloud in 2014.
We’ve previously talked about how a business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.
When we first wrote this post in 2019, we learned via the Salesforce HIPAA Compliance page that Salesforce Marketing Cloud was covered by Salesforce in its BAA. When we read the fine print however, we saw that while Salesforce was willing to sign a BAA with customers for use with Salesforce Marketing Cloud, the scope of the BAA was limited to data stored at-rest in its system.
In other words, data uploaded to Salesforce Marketing Cloud was covered by the Salesforce BAA. However, when customers actually send email, its transmission over the internet from Salesforce Marketing Cloud was not covered by the Salesforce BAA. This was obviously quite a limited scope of coverage.
When we took a fresh look at the Salesforce HIPAA Compliance page, we were directed to the Business Associate Addendum Restrictions page for more information.
See screenshot below:
When we visit the BAA Restrictions and HIPAA Covered Services page, Salesforce lays out a list of solutions that it refers to as, “HIPAA Covered Services.”
As we went down the list, we did not find any mention of Salesforce Marketing Cloud.
We did however, find Marketing Cloud Personalization as being covered by the current Salesforce BAA:
When we dug into Salesforce Marketing Cloud Personalization, we learned the following:
In a nutshell, based on analyzing the latest versions of the Salesforce HIPAA Compliance and Business Associate Addendum Restrictions pages, we are left to conclude that Salesforce Marketing Cloud is no longer offered as a HIPAA Covered Service by Salesforce.
The BAA is a key component to HIPAA compliance between a covered entity and a business associate.
In 2019, we saw that Salesforce did include Salesforce Marketing Cloud as being covered under its BAA. The scope of coverage was quite limited.
When we revisited the topic in 2023 however, we learned that Salesforce Marketing Cloud is no longer listed as a “HIPAA Covered Service” by Salesforce.
We are therefore left to conclude that as of January 2023, Salesforce Marketing Cloud is not HIPAA Covered Service by Salesforce and is therefore not HIPAA compliant.