Is Salesforce.com HIPAA compliant? We get that question a lot.
It might seem black and white, but the issue is actually a bit more complicated than that. Here's why:
- HIPAA is not just one law or regulation—there’s the original act itself (from 1996), as well as several relevant subsequent regulations.
- There is no standard test or evaluation with which to assess a system, especially a “system” like Salesforce.com, which isn’t really a complete, unchangable application so much as it is a highly customizable platform with a large ecosystem of apps.
- The regulations cite “requirements” and “addressable concerns,” the latter of which are not mandatory. But if you’re not abiding by those, you'd better document a legitimate rationale for not doing so!
- Portions of the regulations are rather ambiguous.
- The regulations are one thing… but an organization may be beholden to business associate agreements (BAAs) that are more specific, have higher standards, shorter time frames for reporting breaches, etc.
- “Compliance” means more than technical specifications and features—your use of the system, the systems it integrates with, and your general business practices may render a HIPAA “safe” solution a significant HIPAA compliance risk.
So, how do you figure this out? We’ll get to our recommendations soon. First, here are a few more questions to consider. Maybe you've been asking them, too:
Q: Will Salesforce.com sign a BAA?
A: Yes, they do all the time, and they have a standard agreement at the ready.
Q: Will that BAA with Salesforce.com be enough to cover my compliance needs (for covered entities) or the requirements of my most restrictive BAA with my clients / partners?
A: That depends on your BAAs and your specific needs. Evaluate Salesforce.com’s BAA and your other BAAs thoroughly. Many of our clients are quite satisfied with Salesforce.com’s standard BAA.
Q: Can Salesforce.com safely handle PHI (protected health information)?
A: Yes, with some caveats. Keep reading...
There are several ways to work with PHI in Salesforce.com—depending on your specific BAAs and interpretations of HIPAA/risk tolerance, you have the following options:
- Store PHI in Salesforce.com, and use “out of the box” features of Salesforce.com to limit access to it and otherwise further secure it. Many of our customers are satisfied with this approach, especially those that are moving away from far less secure/compliant applications or processes (emailing around Excel files, for example).
- In addition, purchase Salesforce.com’s new “Shield” components—these allow for two major enhancements relating to HIPAA: much-improved logging and far more comprehensive encryption of data at rest (an addressable concern).
- In addition to all of that, take things further by implementing best practices to back up your audit logs “off system”. Note that HIPAA requires maintaining audit logs for 6 years as a minimum, and Shield’s event monitoring/logging feature does not retain data for that long.
- Still concerned? Keep your PHI off of Salesforce.com entirely, but make the PHI you'd want there securely accessible via Salesforce’s “Connect” offering, which utilizes the OData standard. Some clients are more comfortable with this approach, which gives them lots of flexibility relating to logging of PHI access and encryption of data at rest. It’s easy for us to wrap PHI data sources for OData/Connect use, which means that to your users, the PHI seems to be “in” Salesforce.com: you can do most tasks (but not all—evaluate constraints while defining your solution) in Salesforce.com with this “remote” data just like it was stored in Salesforce.com.
Here are our recommendations regarding approaching HIPAA and Salesforce.com:
- Assess your organization’s collective risk tolerance and interpretation of HIPAA, including any BAAs to which you're contractually bound.
- Learn about the Salesforce.com features that will help you protect your PHI—what you get “standard,” what you get with “Shield,” and what you can do with “Connect.” Note that we highly recommend Shield for clients who are storing PHI on Salesforce.com!
- Develop an appropriate Salesforce.com-based solution that meets your needs and relevant legal and system constraints.
Watch our video presentation for an in-depth look at HIPAA compliance, Salesforce.com and Shield.
Read more about our healthcare solutions:
- Maximizing the Capabilities of Health Cloud
- I'm the Patient, Remember Me?
- Interoperability & Quality Process Supporting EHRs
- 5 Steps to an Effective Data Governance Plan
Connect with us for a complimentary 1:1 call with our healthcare expert.