Is Salesforce HIPAA Compliant?
Salesforce can be used in a HIPAA compliant manner provided uses and disclosures of PHI are limited to services covered by Salesforce’s Business Associate Agreement and that the restrictions to each covered service are complied with. It is also important to be aware that Salesforce’s Business Associate Agreement does not apply to third party integrations with access to PHI.
Salesforce is a well-known Customer Relationship Management (CRM) service that facilitates communications between businesses and customers. Through the “marketing cloud”, Salesforce offers products for customer service, data analytics, and marketing, and developers can also build apps on the Salesforce platform.
By default, there are a number of features in Salesforce that support its use in a HIPAA-compliant manner. Salesforce has a minimum standard security protocol with a 128- bit encryption key and requires an HTTPS connection – both of which are steps towards protecting data in accordance with the HIPAA Security Rule.
However, there are some compliance issues with certain products and services. For example, the basic Event Monitoring services only stores 30 days of data, which falls short of what is required for HIPAA compliance. Consequently, not all Salesforce products and services can be used to create, receive, store, or transmit ePHI, and – as a result – Salesforce will only sign a Business Associate Agreement for selected products and services.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The Importance of Reading Salesforce´s Business Associate Agreement
The requirement to enter into a Business Associate Agreement before creating, receiving, storing, or transmitting ePHI via a Business Associate´s product or service appears in both the Privacy Rule (45 CFR §164.502(e)) and the Security Rule (45 CFR §164.314(a)). In the context of using a Salesforce HIPAA compliant product or service, both requirements are equally relevant.
The Privacy Rule requirement states a Covered Entity must obtain satisfactory assurances that the Business Associate will appropriately safeguard ePHI disclosed to it, while the Security Rule states Business Associates must comply with all relevant Security Rule standards and inform the Covered Entity in the event of a data breach. The assurances and an undertaking to comply with all relevant standards must be written into the Business Associate Agreement according to 45 CFR §164.308(b)(3).
The issue with Salesforce´s Business Associate Agreement is that it is not available for public inspection. Salesforce´s customers are required to contact an account representative to obtain a Salesforce Business Associate Addendum. These “Addendums” can vary according to the product or service being used and – for certain products and services – it may be necessary to enter in a product-specific Addendum in addition to a general Addendum.
The reason why it is important to read each Addendum before entering into a Business Associate Agreement with Salesforce is that Covered Entities can be fined – or have the penalties for data breaches increased – for failing to enter into an appropriate Business Associate Agreement. Indeed, financial penalties – or a Corrective Order Plan – can be imposed by HHS´ Office of Civil Rights even when no data breach has occurred, as the failure to enter into an appropriate Business Associate Agreement with a software vendor is itself a HIPAA violation.
What Services Offered by Salesforce are HIPAA Compliant?
Before listing the services offered by Salesforce that are HIPAA compliant, it is important to be aware that Salesforce places a number of restrictions on how these services are used. For example, Salesforce´s Business Associate Agreement does not cover a service if it is deployed in the Covered Entities environment – only if it is deployed in Hyperforce or another cloud service over which Salesforce has control.
It is also important to be aware that Salesforce takes no responsibility for ePHI in transit between a Covered Entity and Salesforce´s servers but places the responsibility for data encryption in transit with the Covered Entity. Finally, although the following list itemizes what services offered by Salesforce can be HIPAA compliant, many services are restricted in how they can be used. A full list of restrictions can be found on this page.
| Salesforce HIPAA Compliant Services as of January 2024 (restrictions may apply) | ||
| B2B Commerce | Government Cloud Plus | Quip Services |
| B2B2C Commerce | Headless Browser Service | Sales Cloud |
| Commerce Cloud Digital | Health Cloud | Salesforce Maps Services |
| Chatter | Heroku Services | Salesforce Mobile App |
| CRM Analytics | Intelligent Form Reader | Salesforce Order Management |
| Customer Data Cloud | Intelligence Services | Salesforce Private Connect |
| Customer Data Platform | IoT Explorer | Salesforce Slack Integration |
| Database.com | Lightning B2B Commerce | Service Cloud |
| Digital Process Automation | Lightning Platform | Service Cloud Voice |
| Einstein Services | Loyalty Management | Site.com |
| Emergency Program Management | Mulesoft Services | Slack Enterprise |
| Messaging for In-App and Web | Salesforce Payments | Tableau Cloud |
| Experience Cloud | Nonprofit Cloud Case Management | Vlocity Health Package |
