Using Salesforce in a HIPAA compliant manner is a shared responsibility. Salesforce provides a platform that secures data and provides physical, technical, and administrative safeguards. It is up to the Salesforce user organization to configure the platform correctly.
It’s why bringing in a proven, trusted partner with Salesforce health and life sciences experience can help you play the game more effectively.
That being said, clients often ask us "Is salesforce HIPAA compliant"? When we determine what Salesforce HIPAA compliance means to our clients, we always say “It depends.” Compliance, usually granted by a third-party auditing agency, is based on taking reasonable steps to meet the requirements and addressable aspects of HIPAA.
It also greatly depends on the nature of the client’s business, their size, technical infrastructure, likelihood of risk, costs, and the amount of resources available to them.
At the most basic level, the Department of Health and Human Services (HHS) specifies that organizations covered by HIPAA must:
- Ensure the confidentiality, integrity, and availability of e-PHI created, received, maintained or transmitted
- Identify and protect against reasonably anticipated threats to the security or integrity of the information
- Protect against reasonably anticipated, impermissible uses or disclosures
- Ensure compliance by the workforce
You can read about the long-form details at the official HHS HIPAA page.
Penrod is also aware that external (and internal) threats add an additional layer of complexity on top of Salesforce HIPAA compliance. According to the Cloud Security Alliance’s report “The Treacherous 12”, cloud computing’s top threats are:
- Data Breaches
- Insufficient access management
- Insecure interfaces and APIs
- System vulnerabilities
- Account hijacking
So, how do the existing tools in Salesforce help organizations build HIPAA compliant solutions that also conclusively address the threats listed above?
Here at Penrod, we use the acronym “AAIT” to identify them: Access controls, Audit controls, Integrity Controls, and Transmission security.
Utilizing AAIT as a guide, we ensure implementations are compliant with:
- Salesforce Shield for platform encryption to protect data at rest, and event monitoring plus a field audit trail to prevent malicious activity
- System Security for creating user profiles, password policies, logout policies, and API settings
- Database Security for setting default sharing policies, object CRUD permissions, and permission sets
- Interface Security to secure page layouts, community page access, and custom lightning and Visualforce components
- Auditing & Integrity for monitoring events, fields, reports, audit trails, and third-party backups
We understand that Salesforce HIPAA compliance is about trust – and we view it as a shared responsibility between our clients and Salesforce.