The guide to Salesforce and HIPAA compliance

Written by Dean Levitt | July 19, 2023

Ensuring HIPAA compliance, a legal obligation for protecting sensitive patient information, is critical to using any CRM in the healthcare sector.

Salesforce offers a suite of services widely used by healthcare organizations to manage patient data and streamline operations. When configured correctly, Salesforce can be used in a HIPAA compliant manner.

Introduction to Salesforce and HIPAA

Salesforce is a cloud-based customer relationship management (CRM) platform that can be used to manage all aspects of a healthcare organization's customer interactions, from lead generation to patient care. Salesforce's broad product suite includes solutions for:

Patient engagement: Salesforce Health Cloud provides tools for creating patient portals, managing patient communications, and tracking patient health records.
Clinical decision support: Health Cloud also provides tools for clinical decision support, such as real-time alerts and reminders and patient risk assessment.
Quality improvement: Health Cloud can also track patient outcomes and identify areas where quality improvement is needed.
Financial management: Salesforce Financial Services Cloud provides tools for managing financial transactions, such as claims processing and billing.
Human resources: Salesforce provides tools for managing employee data, such as recruiting, onboarding, and performance management.

In addition to these specific solutions, Salesforce also offers several general-purpose tools that can be used in healthcare, such as:

Salesforce Sales Cloud: Sales Cloud provides tools for managing sales pipelines, tracking leads, and closing deals.
Salesforce Service Cloud: Service Cloud provides tools for managing customer service interactions, such as tickets and surveys.
Salesforce Marketing Cloud: Marketing Cloud provides tools for managing marketing campaigns, such as email and social media.

Salesforce's broad product suite makes it a powerful tool for healthcare organizations of all sizes. By using Salesforce, healthcare organizations can improve patient care, reduce costs, and improve compliance with HIPAA.

Understanding HIPAA and PHI

The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law enacted to protect the privacy and security of certain health information. It applies to covered entities, including healthcare providers, health plans, and healthcare clearinghouses. One of the foundational aspects of HIPAA is the protection of PHI.

PHI refers to any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed while providing a health care service, such as diagnosis or treatment. This includes a wide range of identifiable health and demographic data, such as names, addresses, birth dates, Social Security numbers, and medical records.

Under HIPAA, PHI that is transferred, received, handled, or shared through electronic media is called electronic protected health information (ePHI). This includes PHI transmitted by electronic media, such as email.

HIPAA sets forth privacy and security rules that govern the use and disclosure of PHI. The Privacy Rule, which applies to all forms of PHI, sets standards for when PHI may be used and disclosed. The Security Rule sets standards for securing ePHI, specifically. It requires covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.

Who needs to comply with HIPAA?

HIPAA regulations apply to a wide range of entities that handle PHI. These are primarily healthcare providers, health plans, and healthcare clearinghouses but also extend to business associates. Let's delve into each of these categories:

Healthcare providers: Any medical or other health services provider that transmits health information in electronic form is considered a healthcare provider under HIPAA. This includes doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies.

Health plans: Health plans include health insurance companies, HMOs, company health plans, and government programs that pay for healthcare, such as Medicare, Medicaid, and the military and veterans' health care programs.

Healthcare clearinghouses: These are entities that process nonstandard health information they receive from another entity into a standard format or vice versa. Examples include billing services, repricing companies, or community health management information systems.

Business associates: A business associate performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. This includes services like Salesforce because they handle PHI.

The role of business associate agreements

A business associate agreement (BAA) is a critical document outlining each party's responsibilities when handling PHI. This agreement is a cornerstone of HIPAA compliance, ensuring that business associates, like Salesforce, are fully aware of their obligations and are committed to preserving the privacy and security of PHI.

A BAA must be in place when a healthcare provider leverages Salesforce's services to manage patient data. This agreement ensures that Salesforce, acting as a business associate, will appropriately safeguard the PHI it receives, creates, maintains, or transmits on behalf of the healthcare provider. This is a necessary step in ensuring that the use of Salesforce services involving PHI is HIPAA compliant.

By offering to sign a BAA, Salesforce acknowledges its role as a business associate and its responsibilities in maintaining the privacy and security of PHI. However, it's important to note that not all Salesforce services are covered under the BAA, and customers are responsible for using them in a manner consistent with their HIPAA obligations.

Is Salesforce HIPAA compliant?

Salesforce has several features that make it well-suited for HIPAA compliance, including encryption, access control, and auditing. Salesforce also has a business associate agreement that outlines the company's responsibilities for safeguarding protected health information (PHI). Their willingness to sign a BAA and along with their stringent security measures, mean that Salesforce can be HIPAA compliant.

However, please note that not every Salesforce product is HIPAA compliant. Always double-check that the specific feature or product is covered by the BAA and that the particular usage is HIPAA compliant.

Salesforce and HIPAA compliance

Salesforce is committed to providing a secure environment for its customers, particularly those in the healthcare sector who handle PHI. Here's how Salesforce ensures compliance with HIPAA:

Security measures

Salesforce implements a comprehensive set of security measures at different levels:

Physical Security: Measures are in place at data centers to protect the physical infrastructure.
Network Security: Measures protect data in transit between users and Salesforce servers.
Application Security: Measures ensure that only authorized users have access to data.

Configurable security features

Salesforce provides a range of configurable security features that customers can use to enhance their data protection. These include:

User authentication features: These features verify the identity of users before granting them access to the system.
User access controls: These controls determine what data each user can access and what actions they can perform.
Data encryption: Salesforce provides options for encrypting data at rest and in transit.
Audit trails: These features log who has accessed data and what changes they have made.
Data backup and recovery: These features help to ensure that data can be recovered in the event of a loss.

Compliance certifications and attestations

Salesforce undergoes regular audits to verify its compliance with various industry standards and regulations, including HIPAA. Salesforce holds a comprehensive set of compliance certifications and attestations, which provide independent validation of its security controls.

While Salesforce provides a platform that can be HIPAA compliant, the responsibility for ensuring HIPAA compliance also rests with the customer. Customers must:

Enter into a BAA with Salesforce.
Configure the security settings appropriately.
Manage user access to PHI.

What are the HIPAA covered services in Salesforce?

Salesforce offers a variety of services that are designed with security and compliance in mind. Here's a detailed look at the services covered by Salesforce's HIPAA compliance:

Salesforce Health Cloud: This is a patient relationship platform that helps healthcare organizations to deliver personalized care. It includes features for managing patient data, coordinating care, and engaging with patients. Health Cloud is designed to be used in a HIPAA compliant manner when configured correctly.
Salesforce Shield: This is a set of premium features for security and compliance. It includes Platform Encryption, Event Monitoring, and Field Audit Trail. These features can help healthcare organizations protect PHI and meet HIPAA compliance obligations.
Other Salesforce services covered under the BAA: The BAA covers a specific set of Salesforce services designed to be HIPAA compliant. These services include Sales Cloud, Service Cloud, and Salesforce Platform.

Not all Salesforce services are covered under the BAA. Customers should review the BAA carefully to understand which services are covered.

Customers are responsible for using Salesforce services in a manner that is consistent with their HIPAA obligations. This includes configuring the services correctly and managing user access to PHI.

Can Salesforce CRM be HIPAA compliant?

Healthcare organizations often use Salesforce CRM for patient communication, appointment reminders, and sharing health reports. These emails may contain PHI, which must be securely transmitted under HIPAA regulations. With Paubox's integration, you can ensure that all such emails are encrypted in transit, providing an extra layer of security.

Here's how you can make Salesforce CRM HIPAA compliant:

Organization level configuration: With administrator credentials, configure Salesforce to allow routing via Paubox. This is done by creating an email relay to Paubox. Here's how to create the email relay.
User level Configuration: Each user should update their Salesforce settings. Toggle the radio button to send via Gmail or O365 rather than via Salesforce. Ensure your email address is listed as "acceptable" under the "My Email to Salesforce" section. Here's how to set up user-level routing.
Test the setup: Send a test message from Salesforce to an external email address. If the setup is successful, the Paubox footer will appear at the bottom of the HIPAA email for confirmation.

Go deeper: Can Salesforce CRM be HIPAA compliant?

Service-specific restrictions for HIPAA compliance in Salesforce

Each Salesforce service has its own specific restrictions to ensure HIPAA compliance.

Salesforce Health Cloud: While Health Cloud is designed to be used in a HIPAA compliant manner, it's important to note that certain features may not be used to store, process, or transmit PHI unless explicitly covered by Salesforce's BAA. For instance, certain social and mobile features may not be used with PHI.
Salesforce Shield: While Shield provides additional security features, it does not automatically make an organization HIPAA compliant. Healthcare organizations must still configure Shield correctly and use it with other security measures to meet their HIPAA obligations.
Salesforce services covered under the BAA: The BAA covers a specific set of Salesforce services, but it also places restrictions on how these services can be used with PHI. For example, customers may need to disable certain features or use additional security controls when using these services with PHI.
Other Salesforce services: Services not covered by the BAA should not be used to store, process, or transmit PHI. Customers should review the BAA carefully to understand which services are covered and which are not.

While Salesforce provides a platform that can be HIPAA compliant, the responsibility for ensuring HIPAA compliance also rests with the customer. Healthcare organizations must:

Understand the restrictions for each Salesforce service they use.
Use Salesforce services in a manner that is consistent with their HIPAA obligations.
Configure the services correctly and manage user access to PHI.

By understanding the service-specific restrictions for HIPAA compliance in Salesforce, healthcare organizations can ensure they are using Salesforce services appropriately and in a way that meets their compliance needs.

FAQs

Here are some frequently asked questions about HIPAA compliance and Salesforce.

Is Salesforce HIPAA compliant?

Yes, Salesforce offers a platform that can be used in a HIPAA-compliant manner when configured correctly and used in accordance with a Business Associate Agreement (BAA).

Does Salesforce sign a Business Associate Agreement (BAA)?

Yes, Salesforce is willing to sign a BAA with customers that handle PHI. Still, it's important to note that not all Salesforce services are covered under the BAA.

Can all Salesforce services be used to store, process, or transmit PHI?

No, only the services specifically covered under Salesforce's BAA can be used to store, process, or transmit PHI.

What is the role of a customer in maintaining HIPAA compliance on Salesforce?