Yes, Salesforce can be HIPAA compliant, but you must talk to your account representative to sign a Business Associate Agreement (BAA). You can connect Salesforce to “Shield” premium services for additional monitoring, encryption, and auditing.
The Salesforce platform can be set up to meet HIPAA compliance standards through certain features that help keep Patient Health Information (PHI) secure in the cloud. Salesforce complies with the HIPAA Security Rule, including administrative, physical, technical, organizational, and documentation safeguards to protect PHI.
Customers can meet strict HIPAA security requirements using customer-controlled security features through Salesforce Covered Services. Additionally, Salesforce has core security safeguards such as data encryption in transit, ongoing monitoring for security violations, and audit logging to identify changes in activity. Customer administrators can use configurable tools to
- - Define permission sets that govern the visibility of data
- - Maintain strict password security
- - Monitor field level history
- - Set security rules to manage data access
- - Define a company-wide sharing model and role hierarchy
- In addition to permission sets, customers can define user profiles to limit data record access to authorized employees.
It’s a good idea to use the premium set of Salesforce features known as “Salesforce Shield.” These features provide extra monitoring, encryption, and auditing. You might need to enable other features or additional services to ensure the protection of PHI when information is in transit.
If you’re planning to use Salesforce for patient information, reach out to your account representative for a signed Business Associate Agreement (BAA). The account representative can also advise you on specific features and settings for HIPAA compliance.
Salesforce is a cloud-based customer relationship management software service. Other enterprise applications include marketing automation, application development, and analytics.