Is Salesforce HIPAA Compliant?

How Is Salesforce HIPAA Compliant?

The issue of Is Salesforce HIPAA Compliant, must be looked at with reference to a specific Salesforce product.  Salesforce Service Cloud is one such product. Salesforce Service Cloud is a customer relationship management (CRM) platform for customer service and support, based on the company’s CRM software for sales professionals.

Service Cloud is frequently used as a business associate, by covered entities. A “Business Associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI), for a covered entity. 

The following example demonstrates how Service Cloud can be used to perform business associate functions. Suppose you are a customer service representative (“CSR,” for short). You are using Service Cloud to view a new support ticket. A customer sends an inquiry. In the inquiry, the customer states that his doctor wants him to get additional testing to rule out kidney cancer. The customer wants to know whether the additional testing is covered by his health insurance. Is this a HIPAA scenario?  Yes. The customer’s contact information, in combination with the information about the medical condition, is protected health information. Service Cloud is being used to provide a service to the covered entity, which involves PHI. As such, Service Cloud is a business associate, and must comply with HIPAA. 

What is Needed to Render Salesforce Service Cloud HIPAA Compliant?

The Salesforce platform itself, can be rendered HIPAA compliant. Salesforce, as a business associate, must enter into a business associate agreement with covered entities on whose behalf it performs functions involving PHI. Salesforce will enter into a business associate agreement with covered entities.

When data is viewed within the salesforce platform, the data is known as data at rest. Data at rest, which is data stored in a server, must be secured to preserve its integrity. There are several tools that can be used for authentication of data including magnetic disk storage, error-correcting memory, checksum technology, and digital signatures. An organization must also be able to authenticate users to ensure that they are authorized to view PHI If a covered entity takes these measures, and its business associate signs the business associate agreement and complies with the HIPAA Privacy Rule and the HIPAA Security Rule, there is no “Salesforce Service Cloud compliance issue” – the situation is a HIPAA compliant one.

HIPAA applies to data in motion as well as to data at rest. Data in motion is data that travels over a public network, like the Internet. Such data needs to be encrypted in transit. Whenever our hypothetical support ticket above is replied to (as opposed to just read), PHI is invariably copied as part of the ongoing ticket thread. This “thread,” since it is sent from the covered entity to the customer in electronic format, becomes data in motion once it begins its journey through the Internet. With respect to data in motion, Service Cloud still is acting as a business associate – it is performing an activity for a covered entity involving PHI. Salesforce will sign a business associate agreement whether the data whose transmission or use is at rest, or in motion. 

Covered entities must encrypt data in motion. The encryption must be performed before the message is sent, for HIPAA compliance to be achieved. Solutions such as DataMotion SecureMail can be evaluated by covered entities for integration with Salesforce. DataMotion SecureMail automatically encrypts messages that contain PHI.