When salesforce.com acts as a business associate on behalf of a covered entity, salesforce must, per HIPAA regulations, enter a Salesforce Business Associate Agreement with that covered entity.

What is a Salesforce Business Associate Agreement?

Through a salesforce business associate agreement, the parties implement certain requirements of HIPAA. These requirements are comprised of HIPAA Privacy Rule and HIPAA Security Rule regulations.

Do you have signed business associate agreements? If not you’re at risk! Learn more about business associate agreements here.

In the agreement, salesforce acknowledges that in the course of providing services, salesforce may receive, maintain, or transmit patient or customer data that constitutes PHI, rendering salesforce a business associate as a result. 

In its standard business associate agreement, salesforce also notes that neither it nor its subcontractors create PHI. 

The remainder of the business associate agreement outlines each party’s responsibilities, including those with respect to PHI. Pertinent provisions of the agreement include:

1. Use and Disclosure of PHI by Covered Entity. Under this provision, the covered entity and Salesforce (acting as a Business Associate, or BA), agree that the Covered Entity may not authorize, request, or require salesforce to use or disclose PHI in any manner that would violate HIPAA, if the use or disclosure were carried out by the covered entity.
2. Use and Disclosure of PHI by Salesforce. Under this provision, salesforce states that it will use or disclose PHI only in the manner and for the purposes set forth in the business associate agreement – that is for providing BA services, or preventing or addressing service or technical problems.
3. Use and Disclosure of PHI as Required by Law. Under this provision, salesforce agrees:
   1. To ensure that any subcontractors receiving, maintaining, or transmitting PHI on behalf of salesforce, agree to restrictions and conditions that are no less restrictive than those that apply to salesforce in the Business Associate Agreement with respect to such PHI. 
   2. To use appropriate administrative, technical, and physical safeguards, and comply, where applicable, with the HIPAA Security Rule with respect to any PHI constituting electronic protected health information (ePHI)
   3. To prevent use or disclosure of PHI other than as provided for by the Business Associate Agreement.
4. Reporting Obligation. This provision requires salesforce to report to the covered entity any use or disclosure of PHI not provided for in the business associate agreement of which salesforce.com becomes aware, including any breach of unsecured PHI. 
5. Obligation to Provide Names of Individuals. This provision requires salesforce to provide the covered entity with, to the extent possible, the identification of each individual whose unsecured protected health information has been, or is reasonably believed by salesforce to have been, accessed, acquired, used, or disclosed during the breach.
6. Obligation to Provide Additional Information. This provision requires salesforce to provide any additional available information reasonably requested by the covered entity for purposes of investigating the breach.