Compliance is a very important factor when it comes to handling information that can be considered sensitive under regulations such as HIPAA.
HIPAA, or the Health Insurance Portability and Accountability Act, was introduced in 1996 and has been used as the national standard for protecting sensitive health-related information. Any organization or individual that stores, manages, or transmits healthcare information falls under HIPAA. The goal of this regulation is to ensure the availability, confidentiality, and integrity of sensitive patient-related information through detailed guidelines on information security.
While platforms such as Salesforce do have to be compliant with HIPAA to a certain degree (more on that later), the majority of the burden should still fall on the shoulders of the data processing individual or company and not just the CRM platform per se.
Salesforce does offer multiple security-related features that can be used to ensure HIPAA compliance, such as audit trails, access control mechanisms, and data encryption. However, the exact logic behind HIPAA compliance in this context can be somewhat difficult to understand, which is why we are going to approach this exact topic in this article.
The basics of HIPAA
The versatility of Salesforce as a CRM platform makes it possible to operate in many industries and situations – including companies that fall under the HIPAA compliance frameworks.
HIPAA is a federal law of the U.S. with the prime purpose of protecting certain health-related information of patients. The security of PHI (Protected Health Information) is one of the most basic goals of HIPAA. The most basic way to describe PHI would be to refer to it as any information from medical records that can identify a patient.
PHI covers a wide range of information, a lot of which would not even seem relevant to medical matters at first – names, addresses, birth dates, and so on. As for the more industry-specific data, Social Security numbers and medical records are also considered PHI, among many other examples.
Additionally, there is an important variation of PHI that warrants discussion in the context of Salesforce and other CRMs – ePHI. Any element of PHI that is transferred or handled with the help of some sort of electronic medium is considered electronic Protected Health Information, or ePHI.
HIPAA-compliant entities and Salesforce
Due to its sensitive nature, HIPAA as a set of regulations applies to a large selection of entities that handle PHI in some way or another. There are four primary categories of such entities that are worth mentioning here:
- Healthcare providers are various health service providers that handle health-related data in electronic form, including dentists, chiropractors, clinics, doctors, nursing homes, pharmacies, psychologists, and many other examples.
- Health plans cover government-related healthcare programs (Medicare, Medicaid, etc.), as well as company health plans, health insurance companies, and HMOs (health maintenance organizations).
- Healthcare clearinghouses are third-party entities that receive non-standard health-related information from another entity and convert it into some sort of a standard format (or vice versa), with the most prominent examples being community health management information systems, repricing companies, and billing services.
- Business associates are entities that can perform activities or functions with the involvement of PHI, either as a provided service to a Covered Entity or on behalf of said entity.
It should be noted that these categories of entities under HIPAA have different responsibilities depending on the category. Additionally, there is also an overarching term, Covered Entity, which works as an umbrella term for healthcare providers, health plans, and healthcare clearinghouses, explaining all types of entities that are directly involved in the process of handling or managing ePHI.
Salesforce and a Business Associate Agreement
Since Salesforce falls under the last category of entities from the standpoint of HIPAA (Business associates), it is not considered a Covered Entity, which is why its total number of responsibilities is noticeably lower than for a healthcare provider or any other type of Covered Entity.
However, this does not mean that Salesforce cannot be compliant to HIPAA. On the contrary, the importance of third-party services under the title of Business associates is important in the context of HIPAA, and there is an entire document called BAA, or Business associate agreement, that an environment such as Salesforce and a Covered Entity has to sign in order to confirm that both sides are committed to following HIPAA’s regulations and aware of their responsibilities.
Any instances of a healthcare provider or other entity processing patient-related information with the help of services such as Salesforce has to include a signed BAA outlining the exact security measures that Salesforce would take to safeguard ePHI it works with on behalf of the aforementioned entity.
It would be important to mention that the exact list of products and features that Salesforce can offer in the context of HIPAA compliance is somewhat limited and would most likely differ depending on the client. It is one of several reasons why BAAs in Salesforce are provided on a case-by-case basis directly by the account team instead of being available for public inspection.
We would highly recommend reading through the entire BAA before signing it with Salesforce, including all of the Addendums (the ones that usually define the capabilities and features of Salesforce as a Business associate). Not only the lack of a signed BAA can increase the penalties on the Covered Entity for data breaches, but that same entity (and only the entity) can also be fined for not signing the appropriate BAA even without any kind of data breach happening to begin with.
HIPAA-compliant elements of Salesforce
As for the exact features and services that Salesforce can offer in terms of its compliance with HIPAA – there are multiple examples of such noteworthy capabilities that we are going to separate into two groups. The first group represents the security measures and features that contribute to the security as a whole, while the second group elaborates on what specific services inside Salesforce can be considered HIPAA-compliant.
Security is one of the important cornerstones of the Salesforce environment, and several layers of protection measures are implemented to ensure the complete protection of the environment. The Physical security covers all of the measures taken to ensure the protection of the physical infrastructure of Salesforce servers; the Network security outlines features that protect information in transit between Salesforce servers and end users; the Application security controls access permissions to specific information in certain situations.
The list of specific Salesforce services that are covered by HIPAA compliance is presented below:
- Salesforce Health Cloud is a platform dedicated to helping healthcare companies with personalized assistance for patients. It can be fully HIPAA-compliant if configured correctly, and its capabilities cover care coordination, patient data management, patient communication, and more.
- Salesforce Shield is a premium security-related feature set from Salesforce; its most noteworthy features that can assist with HIPAA compliance are Field Audit Trail, Event Monitoring, and Platform Encryption, among others.
- Hyperforce is a dedicated infrastructure of Salesforce that allows the platform to be deployed in major public clouds while still providing scalability, data residency controls, and enough security measures to remain HIPAA-compliant.
- Services covered by the BAA are features and capabilities of Salesforce that can be treated as HIPAA-compliant with proper configuration:
- Service Cloud is a helpdesk and customer support-oriented module that can also be configured for compliance with HIPAA if all requirements are met.
- Sales Cloud is a customer relationship management module that can be HIPAA-compliant if configured to handle PHI correctly in a secure manner (with the BAA explicitly mentioning the feature).
- Marketing Cloud is a marketing-related element of Salesforce; only some of its features can be HIPAA-compliant with proper configuration, which is why this element should be implemented with a high degree of caution.
- Salesforce Platform is the name of the overarching Salesforce environment, including the development of case-specific custom apps; it can become HIPAA-compliant with a BAA in place and with all the necessary configurations being applied.
It should be noted that the list of Salesforce services that can be compliant with HIPAA is outlined in BAA and does not include the full range of the platform’s capabilities. Additionally, proper configuration and user access management are still the concerns of the end user (not Salesforce) when it comes to HIPAA-related obligations.
Key compliance-related features in Salesforce
Aside from the services, Salesforce also has a number of features that can be used to make the information more secure and thus more compliant with HIPAA. The most common examples of such features are:
- Audit trails are comprised of detailed access and modification logs to keep track of all users that have access to PHI, forming a clear audit trail with accountability.
- User access controls such as RBAC set the range of capabilities for each user in regard to the actions and access levels for each specific user.
- User authentication works as one of the preliminary layers of security that determine the identity of each user that attempts to access the environment, limiting the number of users that can interact with ePHI and other sensitive information.
- Data encryption is a security measure that can cover information with an encryption layer both at rest and mid-transit, protecting it from unauthorized access.
On that note, we should also mention the features and elements of Salesforce that are not considered compliant with HIPAA, including:
- Customization additions with the usage of custom workflows or case-specific coding elements might not offer the necessary level of security that HIPAA demands – including inadequate encryption, improper API usage, etc.
- Third-party integrations through AppExchange or completely outside of the Salesforce environment should also be subject to review on a case-by-case basis since not all AppExchange extensions are HIPAA-compliant, and the same could be said for third-party solutions that are added to Salesforce for security or convenience.
Salesforce’s restrictions in regards to HIPAA compliance
Speaking of non-compliance, the aforementioned list of HIPAA-compliant Salesforce services does not imply that the entire service is completely safe from any compliance-related issues. Here are a few examples of such situations:
- Certain features of Salesforce Health Cloud services should not be used to work with PHI unless such a feature is mentioned in the BAA. Some mobile and social features of this service are not HIPAA-compliant by default.
- Configuration is an essential part of setting up Salesforce Shield to be HIPAA-compliant; the entire environment does not automatically become compliant with HIPAA as soon as Shied is added to the environment without proper configuration.
- While BAA does cover a number of services that are HIPAA-compliant, it also highlights all the limitations that these services would have to remain compliant – such as the requirement to disable specific features or to use additional security measures.
- If the service is not explicitly mentioned in the BAA, it should not be used to work with ePHI under the threat of potential fines and even legal disputes, aside from reputational damage.
Best practices for ensuring HIPAA compliance in Salesforce
Talking about best practices in the case of HIPAA compliance in Salesforce is difficult because of how many recommendations are going to be extremely case-specific and not particularly useful to most users. What we can do here is to offer a few of the remaining recommendations that are somewhat universal in most cases, such as:
- Improve the efficiency of user access management
- Perform regular audits of the security measures and monitor the environment
Managing user access to HIPAA-covered information is an integral part of practically any compliance framework. Making sure that only the shortest possible range of authorized individuals has access to PHI is the prerogative of organizations in the medical industry. Salesforce can achieve that by using two-factor authentication and session management rule sets while also implementing the principle of least privilege and introducing a robust, flexible RBAC system with defined roles and job functions.
Constant vigilance is another valuable factor for HIPAA-compliant environments. Luckily, Salesforce has a lot of useful features that can assist with activity monitoring and review, including manual user access review capabilities, automated audit logging to track both information and users that had access to it, and automated alerts that can notify administrators in case of any suspicious activity, such as multiple failed login attempts.
Checklist for HIPAA compliance in Salesforce
In order to cover the topic in a somewhat shorter form, we have prepared a checklist for HIPAA compliance in Salesforce that should mention most of the necessary actions that an organization in this field should take.
- Enable data encryption at rest and mid-transit with the help of Salesforce Shield with field-level encryption and appropriate encryption key management practices.
- Set up Role-Based Access Control policies with profiles and role hierarchies that clearly define specific user ranges that would have access to PHI and other valuable information.
- Turn on and properly configure audit trails to be able to monitor access and changes to sensitive information, including PHI.
- Enable two-factor authentication as an additional layer of security that can work at the earlier authentication stages before the user has access to the infrastructure.
- Regularly review and change Secure Sharing settings in Salesforce to control the sharing capabilities of users that have access to PHI; the usage of manual sharing options and private sharing models can further improve upon this strategy.
- Think of implementing a whitelist of IP ranges that can access the Salesforce environment to automatically deny access to anyone not using a designated IP address to access the environment.
- Turn on session timeout features to reduce the potential risk of unattended workstations having access to high-level information.
- Perform a thorough review of all integrations and apps that are connected to Salesforce and ensure their compliance with HIPAA when applicable.
- Protect against data loss by implementing backup and recovery measures; enable encryption for all backups that store PHI, at the very least.
- Configure Salesforce Health Cloud properly if your organization uses it; the solution is designed for HIPAA compliance but requires thorough configuration before actually becoming compliant.
It should be noted that not all of these features are available in Salesforce itself and might require the introduction of third-party solutions. Luckily, there is a lot of software, such as GRAX, that can offer an extensive feature set revolving around data security that is also HIPAA-compliant from the get-go. However, the introduction of additional software vendors into the HIPAA environment does come with a number of considerations that we are going to review later.
Ensure Salesforce Compliance with GRAX
The best way to support stringent regulatory requirements.
Potential challenges and compliance considerations for Salesforce environments
While we are on the topic of third-party solutions, we should also mention that the introduction of third-party options in a Salesforce environment is often considered one of the biggest risks when it comes to HIPAA compliance. While many third-party solutions with their own branding have a certain degree of compliance, the majority of AppExchange apps are far less effective compliance-wise.
First of all, if any of the third-party applications’ capabilities fall under the HIPAA compliance rule set, a new BAA needs to be signed with the software developer for this integration to remain compliant. As we have mentioned before, the simple absence of a BAA can be enough to consider the entire interaction a breach of HIPAA with severe consequences.
Some third-party apps can also transmit ePHI outside of Salesforce’s controlled environment, dramatically increasing the possibility of data breaches and other issues aside from regulatory problems. Most of these issues can be noticed during a security and compliance review, but resolving them might be a lot more difficult than that.
Another significant challenge of HIPAA compliance as a whole (and in the context of Salesforce) is the shared responsibility model that organizations should be aware of. A surprisingly large number of users are not aware of Salesforce’s exact responsibilities when it comes to regulatory frameworks such as HIPAA.
For example, the burden of configuring the necessary features is on the end user, even though the capability is presented by Salesforce. Additionally, the responsibility for ensuring that all external software providers have a signed BAA with the organization for the sake of HIPAA compliance is also completely on the shoulders of the company instead of Salesforce.
Performing regular user training sessions is also recommended for any organization that falls under HIPAA or a similar framework. The overwhelming majority of existing tools and platforms would not be able to protect valuable information such as ePHI from the consequences of a simple human error.
Third-party Salesforce solutions and HIPAA compliance
We should also mention that many of Salesforce’s existing issues in terms of HIPAA compliance can be at least improved upon with the introduction of a third-party data security solution that is not an AppExchange application and is more of a separate product.
Software such as GRAX can not only provide an additional level of security with the addition of its own features, such as data backups, archiving, and recovery but also ensure complete HIPAA compliance from the get-go. The entire platform is SOC 2 Type 2-compliant; it only responds to HTTPS requests for better security and can offer TLS 1.2 encryption mid-transit and AES-256 encryption at rest. Database secrets are encrypted by default, regardless of the overall system setting, improving overall security.
Conclusion
Salesforce is an exceptional CRM platform with a lot of features and capabilities. Its versatility also allows it to be compliant with multiple regulatory frameworks, such as HIPAA. However, not only is it important for the organization to configure all the necessary features correctly for them to work, but there is also the responsibility of understanding what exactly Salesforce can offer by itself in this field.
HIPAA compliance is a difficult topic that not many companies are fully aware of, and one of our goals was to present essential information about companies in the medical field that can be subject to this regulation – with all the benefits, shortcomings, and responsibilities of such a fate.
Understanding is the key word for this article – understanding what kind of restrictions Salesforce has in terms of HIPAA compliance can help with working around these limitations, and understanding the shared responsibility model between Salesforce and the organization helps with avoiding situations that can be considered a compliance breach with severe consequences.
Frequently Asked Questions
Can Salesforce ensure compliance with HIPAA without additional configuration?
Salesforce is considered a Business associate in the eyes of HIPAA, which is why it only shares some of the compliance requirements with the company in the same field, and the burden of configuration (and compliance) is still primarily on the client company instead of the CRM environment.
How can a company ensure that Salesforce’s third-party apps are compliant with HIPAA?
Signing a separate BAA should be the priority in such a situation if the app works with PHI to some degree. Performing an initial assessment of the app’s security capabilities and monitoring it on a regular basis in the future are also valuable sources of information when it comes to compliance.
What is the recommended frequency for compliance audits?
Annual auditing is the bare minimum in these situations, while a separate audit is performed after each significant configuration change or system update for Salesforce or its third-party apps.
What is the penalty for non-compliance with HIPAA?
The exact penalty depends on the severity of the breach, but there is at least a fine that ranges from $100 to $50,000 for one violation, with the upper range of $1.5M per year, as well as reputational losses, increased scrutiny in future reviews, loss of trust, and so on.
How does the responsibility of a Business associate differ from the responsibility of a Covered entity?
The most fundamental distinction between the two is the fact that a Covered entity handles the PHI directly while a Business associate can only handle such information on behalf of the aforementioned Covered entity.