Is Salesforce HIPAA Compliant?

Managing Sensitive Data on Salesforce

Salesforce is a leading CRM that streamlines workflows and improves the effectiveness of various aspects of the sales and customer support processes. A wide range of organizations use Salesforce to improve their operations and service delivery.

Before integrating Salesforce into their operations, organizations that handle protected health information must be sure that their use of the system can remain compliant with HIPAA data security standards.

Is Salesforce HIPAA Compliant?

In its standard configuration, Salesforce is not compliant with HIPAA standards.

As standard, Salesforce implements various security features that comply with HIPAA security standards. These include a 128-bit encryption key and the secure HTTPS connection.

However, although useful these features alone do not make Salesforce fully HIPAA compliant. For example, there is no way to manually redact sensitive information within an email or customer support ticket initiated through Salesforce. Salesforce also lacks essential functionality around native Data Loss Prevention (DLP).

To clarify, Salesforce is not HIPAA compliant. It requires a DLP solution that can automatically detect and redact sensitive data in order to reach full compliance with HIPAA.

Can You Store Patient Data or PHI in Salesforce?

Storing patient data and PHI in Salesforce carries significant compliance risks. One of Salesforce’s key features is the way it centralizes information. This centralizing of information allows for wider access and more efficient management of information between users.

HIPAA compliance therefore depends on how you configure the Salesforce environment. Without explicit features for encrypting or managing access to PHI, using Salesforce to store PHI is not compliant with HIPAA standards.

‍

Does Salesforce Have a BAA Agreement?

For a cloud service provider to be considered HIPAA compliant, it must sign a Business Associate Agreement (BAA) with healthcare organizations that use its service to store or process PHI.

Salesforce does offer a BAA to customers but does not make it available for public inspection. Instead, prospective customers are required to contact Salesforce who will then share the relevant Business Associate Agreement. Salesforce argues this process allows it to enter into specific product agreements, such as Health Cloud, a CRM designed for use in the healthcare and life science industries.

Can PHI/Patient Data Be Leaked from Salesforce?

Despite Salesforce's security measures, there will always be a risk of data leaks.

The number of locations where data is stored on Salesforce presents risk. While emails, attachments, and direct chat message functionality offer user friendliness, they cause data to be spread across multiple locations. This scattering of data increases the risk of unauthorized access. Data security is also dependent on trained employees who act in line with data privacy and security protocols.

These risks highlight the need for robust DLP strategies when healthcare organizations integrate CRM tools into their operations.

How Can Strac Protect Companies from Data Leaks?

Salesforce does have reasonable security features for safeguarding sensitive data, but it lacks native Data Loss Prevention functionality. This gap means non-compliance with HIPAA and leaves organizations vulnerable to unauthorized access of sensitive data and employee mishaps.

Strac specializes in scanning, detection/discovery, and remediation of sensitive data across SaaS, Cloud, and Endpoint devices. For healthcare organizations using Salesforce, Strac offers a comprehensive Salesforce DLP solution.

‍

‎The key features prevent data leaks through a combination of the following:

• Scanning and Detection: Strac's advanced algorithms can monitor and detect PHI across various forms of content, such as emails, attachments. This proactive approach can be configured to automatically identify potential breaches before they occur. Protect against the entire catalogue of sensitive data elements with Strac's complete set of DLP integrations.
• Remediation: Upon detecting sensitive data, Strac Salesforce DLP implements immediate remediation actions, such as redaction, alerting, or blocking the transfer of PHI. This swift response prevents unauthorized access and leaks.
• Customized Protection: Strac DLP solution can be tailored to the unique needs of your organization. You can configure a list of sensitive data elements (SSN, DoB, DL, Passport, CC#, Debit Card, API Keys, etc.) to be redacted. Compliance, Risk and Security officers will then receive audit reports of who accessed data and when, ensuring that your handling of PHI on Salesforce is fully compliant with HIPAA.

Learn more about Salesforce HIPAA compliance with our guide to Salesforce data loss prevention.

Schedule a free 30-minute demo to learn more about SaaS data loss prevention with Strac.

‍