Penrod Blog

Four Salesforce HIPAA Controls For Compliance

Salesforce HIPAA compliance can seem like a complex game. And the requirements laid out by HIPAA itself may seem…well, hungry for your resources, time, and revenue - like Hungry Hungry HIPAA.

But playing the game is more approachable than you think.

We’ve found that Salesforce-oriented organizations can obtain compliance in very approachable ways. Salesforce has been trusted by regulated industries (fintech, government, and healthcare) for almost 20 years, provides app and infrastructure security at every level, and provides tools that we at Penrod utilize on every project that requires Salesforce HIPAA compliance.

HIPAA is serious, and it’s outcome focused. It specifies the outcomes, but not how to achieve them. In other words, how you play the game to obtain compliant outcomes is up to you and your team.

The requirements of HIPAA can seem hungry for your resources, time, and revenue.
Hungry Hungry Salesforce HIPAA

Using Salesforce in a HIPAA compliant manner is a shared responsibility. Salesforce provides a platform that secures data and provides physical, technical, and administrative safeguards. It is up to the Salesforce user organization to configure the platform correctly.

It’s why bringing in a proven, trusted partner with Salesforce health and life sciences experience can help you play the game more effectively.

That being said, clients often ask us "Is salesforce HIPAA compliant"? When we determine what Salesforce HIPAA compliance means to our clients, we always say “It depends.” Compliance, usually granted by a third-party auditing agency, is based on taking reasonable steps to meet the requirements and addressable aspects of HIPAA.

It also greatly depends on the nature of the client’s business, their size, technical infrastructure, likelihood of risk, costs, and the amount of resources available to them.

At the most basic level, the Department of Health and Human Services (HHS) specifies that organizations covered by HIPAA must:

  • Ensure the confidentiality, integrity, and availability of e-PHI created, received, maintained or transmitted
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information
  • Protect against reasonably anticipated, impermissible uses or disclosures
  • Ensure compliance by the workforce

You can read about the long-form details at the official HHS HIPAA page.

Penrod is also aware that external (and internal) threats add an additional layer of complexity on top of Salesforce HIPAA compliance. According to the Cloud Security Alliance’s report “The Treacherous 12”, cloud computing’s top threats are:

  • Data Breaches
  • Insufficient access management
  • Insecure interfaces and APIs
  • System vulnerabilities
  • Account hijacking

So, how do the existing tools in Salesforce help organizations build HIPAA compliant solutions that also conclusively address the threats listed above?

Here at Penrod, we use the acronym “AAIT” to identify them: Access controls, Audit controls, Integrity Controls, and Transmission security.

Utilizing AAIT as a guide, we ensure implementations are compliant with:

  • Salesforce Shield for platform encryption to protect data at rest, and event monitoring plus a field audit trail to prevent malicious activity
  • System Security for creating user profiles, password policies, logout policies, and API settings
  • Database Security for setting default sharing policies, object CRUD permissions, and permission sets
  • Interface Security to secure page layouts, community page access, and custom lightning and Visualforce components
  • Auditing & Integrity for monitoring events, fields, reports, audit trails, and third-party backups

We understand that Salesforce HIPAA compliance is about trust – and we view it as a shared responsibility between our clients and Salesforce. 

Ready for Salesforce HIPAA compliance?

Talk with the Salesforce health and life sciences experts.

Answer a couple questions on the right and we'll be in touch!