Ensuring HIPAA compliance, a legal obligation for protecting sensitive patient information, is critical to using any CRM in the healthcare sector.
Salesforce offers a suite of services widely used by healthcare organizations to manage patient data and streamline operations. When configured correctly, Salesforce can be used in a HIPAA compliant manner.
Salesforce is a cloud-based customer relationship management (CRM) platform that can be used to manage all aspects of a healthcare organization's customer interactions, from lead generation to patient care. Salesforce's broad product suite includes solutions for:
In addition to these specific solutions, Salesforce also offers several general-purpose tools that can be used in healthcare, such as:
Salesforce's broad product suite makes it a powerful tool for healthcare organizations of all sizes. By using Salesforce, healthcare organizations can improve patient care, reduce costs, and improve compliance with HIPAA.
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law enacted to protect the privacy and security of certain health information. It applies to covered entities, including healthcare providers, health plans, and healthcare clearinghouses. One of the foundational aspects of HIPAA is the protection of PHI.
PHI refers to any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed while providing a health care service, such as diagnosis or treatment. This includes a wide range of identifiable health and demographic data, such as names, addresses, birth dates, Social Security numbers, and medical records.
Under HIPAA, PHI that is transferred, received, handled, or shared through electronic media is called electronic protected health information (ePHI). This includes PHI transmitted by electronic media, such as email.
HIPAA sets forth privacy and security rules that govern the use and disclosure of PHI. The Privacy Rule, which applies to all forms of PHI, sets standards for when PHI may be used and disclosed. The Security Rule sets standards for securing ePHI, specifically. It requires covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.
Related: What are the 18 PHI identifiers?
HIPAA regulations apply to a wide range of entities that handle PHI. These are primarily healthcare providers, health plans, and healthcare clearinghouses but also extend to business associates. Let's delve into each of these categories:
Healthcare providers: Any medical or other health services provider that transmits health information in electronic form is considered a healthcare provider under HIPAA. This includes doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies.
Health plans: Health plans include health insurance companies, HMOs, company health plans, and government programs that pay for healthcare, such as Medicare, Medicaid, and the military and veterans' health care programs.
Healthcare clearinghouses: These are entities that process nonstandard health information they receive from another entity into a standard format or vice versa. Examples include billing services, repricing companies, or community health management information systems.
Business associates: A business associate performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. This includes services like Salesforce because they handle PHI.
Related: How to know if you're a business associate
A business associate agreement (BAA) is a critical document outlining each party's responsibilities when handling PHI. This agreement is a cornerstone of HIPAA compliance, ensuring that business associates, like Salesforce, are fully aware of their obligations and are committed to preserving the privacy and security of PHI.
A BAA must be in place when a healthcare provider leverages Salesforce's services to manage patient data. This agreement ensures that Salesforce, acting as a business associate, will appropriately safeguard the PHI it receives, creates, maintains, or transmits on behalf of the healthcare provider. This is a necessary step in ensuring that the use of Salesforce services involving PHI is HIPAA compliant.
By offering to sign a BAA, Salesforce acknowledges its role as a business associate and its responsibilities in maintaining the privacy and security of PHI. However, it's important to note that not all Salesforce services are covered under the BAA, and customers are responsible for using them in a manner consistent with their HIPAA obligations.
Related: Business associate agreement provisions
Salesforce has several features that make it well-suited for HIPAA compliance, including encryption, access control, and auditing. Salesforce also has a business associate agreement that outlines the company's responsibilities for safeguarding protected health information (PHI). Their willingness to sign a BAA and along with their stringent security measures, mean that Salesforce can be HIPAA compliant.
However, please note that not every Salesforce product is HIPAA compliant. Always double-check that the specific feature or product is covered by the BAA and that the particular usage is HIPAA compliant.
Salesforce is committed to providing a secure environment for its customers, particularly those in the healthcare sector who handle PHI. Here's how Salesforce ensures compliance with HIPAA:
Salesforce implements a comprehensive set of security measures at different levels:
Salesforce provides a range of configurable security features that customers can use to enhance their data protection. These include:
Salesforce undergoes regular audits to verify its compliance with various industry standards and regulations, including HIPAA. Salesforce holds a comprehensive set of compliance certifications and attestations, which provide independent validation of its security controls.
While Salesforce provides a platform that can be HIPAA compliant, the responsibility for ensuring HIPAA compliance also rests with the customer. Customers must:
Related: HIPAA Compliant Email: The Definitive Guide
Salesforce offers a variety of services that are designed with security and compliance in mind. Here's a detailed look at the services covered by Salesforce's HIPAA compliance:
Not all Salesforce services are covered under the BAA. Customers should review the BAA carefully to understand which services are covered.
Customers are responsible for using Salesforce services in a manner that is consistent with their HIPAA obligations. This includes configuring the services correctly and managing user access to PHI.
Healthcare organizations often use Salesforce CRM for patient communication, appointment reminders, and sharing health reports. These emails may contain PHI, which must be securely transmitted under HIPAA regulations. With Paubox's integration, you can ensure that all such emails are encrypted in transit, providing an extra layer of security.
Go deeper: Can Salesforce CRM be HIPAA compliant?
Each Salesforce service has its own specific restrictions to ensure HIPAA compliance.
While Salesforce provides a platform that can be HIPAA compliant, the responsibility for ensuring HIPAA compliance also rests with the customer. Healthcare organizations must:
By understanding the service-specific restrictions for HIPAA compliance in Salesforce, healthcare organizations can ensure they are using Salesforce services appropriately and in a way that meets their compliance needs.
Here are some frequently asked questions about HIPAA compliance and Salesforce.
Is Salesforce HIPAA compliant?
Yes, Salesforce offers a platform that can be used in a HIPAA-compliant manner when configured correctly and used in accordance with a Business Associate Agreement (BAA).
Does Salesforce sign a Business Associate Agreement (BAA)?
Yes, Salesforce is willing to sign a BAA with customers that handle PHI. Still, it's important to note that not all Salesforce services are covered under the BAA.
Can all Salesforce services be used to store, process, or transmit PHI?
No, only the services specifically covered under Salesforce's BAA can be used to store, process, or transmit PHI.
What is the role of a customer in maintaining HIPAA compliance on Salesforce?
Customers are responsible for using Salesforce services in a manner that is consistent with their HIPAA obligations. This includes configuring the services correctly and managing user access to PHI.
Does using Salesforce Shield make an organization automatically HIPAA compliant?
No, while Salesforce Shield provides additional security features, customers must still configure it correctly and use it with other security measures to meet their HIPAA obligations.