Salesforce can enable HIPAA compliance, but you must talk to your account representative to sign a Business Associate Agreement (BAA). You can connect Salesforce to “Shield” premium services for additional monitoring, encryption, and auditing.
Customers can use customer-controlled security features through Salesforce Covered Services. Additionally, Salesforce has security safeguards such as data encryption in transit, ongoing monitoring for security violations, and audit logging to identify changes in activity. Customer administrators can use configurable tools to define permission sets that govern the visibility of data, maintain strict password security, monitor field level history, set security rules to manage data access, define a company-wide sharing model and role hierarchy.
In addition to permission sets, customers can define user profiles to limit data record access to authorized employees.
It’s a good idea to use the premium set of Salesforce features known as “Salesforce Shield.” These features provide extra monitoring, encryption, and auditing. You might need to enable other features or additional services to ensure the protection of PHI when information is in transit.
If you’re planning to use Salesforce for patient information, reach out to your account representative for a signed Business Associate Agreement (BAA). The account representative can also advise you on specific features and settings for HIPAA compliance.