Is Salesforce Marketing Cloud HIPAA compliant? (2023 update)

Is Salesforce Marketing Cloud HIPAA Compliant? | Paubox

Last updated: 10 January 2023

Customers and prospects continue to ask us whether they’re able to use Salesforce Marketing Cloud in a HIPAA compliant manner.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud services in this sector.

We first wrote this post in April 2019. Today we will revisit if Salesforce Marketing Cloud offers HIPAA compliant email for marketing or not.

Salesforce Marketing Cloud

Salesforce Marketing Cloud (SFMC) is a digital marketing automation platform offered by Salesforce. It provides a suite of tools for businesses to create and manage marketing campaigns across various channels, including email, social media, mobile, and the web.

The platform allows users to segment and target specific customer groups, automate personalized communication, and track the effectiveness of marketing efforts.

Prior to its acquisition by Salesforce in 2013, the company was founded in 2000 under the name ExactTarget. It was renamed to Salesforce Marketing Cloud in 2014.

2019 analysis: Salesforce Marketing Cloud and the business associate agreement

We’ve previously talked about how a business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.

When we first wrote this post in 2019, we learned via the Salesforce HIPAA Compliance page that Salesforce Marketing Cloud was covered by Salesforce in its BAA. When we read the fine print however, we saw that while Salesforce was willing to sign a BAA with customers for use with Salesforce Marketing Cloud, the scope of the BAA was limited to data stored at-rest in its system.

In other words, data uploaded to Salesforce Marketing Cloud was covered by the Salesforce BAA. However, when customers actually send email, its transmission over the internet from Salesforce Marketing Cloud was not covered by the Salesforce BAA. This was obviously quite a limited scope of coverage.

Updated for 2023: Salesforce Marketing Cloud and the business associate agreement

When we took a fresh look at the Salesforce HIPAA Compliance page, we were directed to the Business Associate Addendum Restrictions page for more information.

See screenshot below:

Can I use Salesforce Marketing Cloud and be HIPAA compliant? (2023 update)
Screenshot from https://compliance.salesforce.com/en/hipaa

When we visit the BAA Restrictions and HIPAA Covered Services page, Salesforce lays out a list of solutions that it refers to as, “HIPAA Covered Services.”

As we went down the list, we did not find any mention of Salesforce Marketing Cloud.

We did however, find Marketing Cloud Personalization as being covered by the current Salesforce BAA:

Can I use Salesforce Marketing Cloud and be HIPAA compliant? (2023 update)

When we dug into Salesforce Marketing Cloud Personalization, we learned the following:

  • The technology was acquired in February 2020 when Salesforce bought Evergage. Shortly after, Salesforce rebranded the Evergage platform as Marketing Cloud Personalization.
  • Salesforce Marketing Cloud Personalization is a component of Salesforce Marketing Cloud. It does not represent the entire platform.

In a nutshell, based on analyzing the latest versions of the Salesforce HIPAA Compliance and Business Associate Addendum Restrictions pages, we are left to conclude that Salesforce Marketing Cloud is no longer offered as a HIPAA Covered Service by Salesforce.

Is Salesforce Marketing Cloud HIPAA compliant?

The BAA is a key component to HIPAA compliance between a covered entity and a business associate.

In 2019, we saw that Salesforce did include Salesforce Marketing Cloud as being covered under its BAA. The scope of coverage was quite limited.

When we revisited the topic in 2023 however, we learned that Salesforce Marketing Cloud is no longer listed as a “HIPAA Covered Service” by Salesforce. 

We are therefore left to conclude that as of January 2023, Salesforce Marketing Cloud is not HIPAA Covered Service by Salesforce and is therefore not HIPAA compliant.

About the author

Hoala Greevy

Founder CEO Paubox. Kayak fishing when I can.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization's security with state-of-the-art email encryption and inbound email security.

Highest rated HIPAA compliant messaging solution on G2

EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader