How to achieve HIPAA compliance for your Salesforce orgs

How to achieve HIPAA compliance for your Salesforce orgs

Jamie Wallis on

Share with


The US Health Insurance Portability and Accountability Act, or HIPAA, requires health care professionals to take the relevant steps to protect their patients’ data at all costs.

Companies that deal with this protected health information (PHI), whether it’s a telephone number or a full medical record, must have physical, network, and process security measures in place to be HIPAA compliant. And it’s not enough to just have the measures in place, they have to be followed correctly.

In this article, we’ll look at what HIPAA means for companies that use Salesforce to manage PHI, and how they can remain compliant.

What is HIPAA compliance?

The US Department of Health and Human Services (HHS) has set up some crucial guidelines to protect US citizens’ health information. Known as the HIPAA Privacy Rule, it’s all about safeguarding sensitive health data and keeping patients’ information secure.

There’s also the HIPAA Security Rule which takes things a step further by laying down national standards to protect health data when it’s stored or transmitted electronically. For business associates of healthcare providers and related companies, there’s a notification rule that requires any breach of information to be disclosed to them within 60 days.

To make sure these rules are followed, the Office for Civil Rights (OCR) within HHS is responsible for making sure healthcare providers and related companies are complying with these privacy and security measures, using both voluntary compliance efforts and penalties when needed. It’s all about keeping electronic PHI (e-PHI) safe and secure.

Live eventConvene, Chicago

DevOps Dreamin' Chicago 2024

Find out more

Who needs to be HIPAA compliant?

HIPAA compliance is a requirement for any US company that maintains PHI data on behalf of its patients, customers, employees, students or other individuals.

These companies are known as Covered Entities, and according to the US Department of Health and Human Services (HHS) they include;

Healthcare providers

Including doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, and hospitals.

Health plans

Including health insurance companies, health maintenance organizations (HMOs), company health plans, and government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs.

Healthcare clearinghouses

Entities that process non-standard health information they receive from another entity into a standard form of PHI (such as standard electronic format or data content), or vice versa.

Business associates

Firms that deal with PHI on behalf of healthcare companies, including claims processors, accounting firms, consultants, transcriptionists, and pharmacist network management.

Is Salesforce HIPAA compliant?

This isn’t a simple question to answer, but if your company is using Salesforce to manage and store PHI, then you’ll need to make sure that your Salesforce orgs are HIPAA compliant.

This also applies to data in transit between orgs, data stored in backups and in archives.

Some Salesforce functionality is HIPAA compliant by default, such as their HTTPS connection requirement and 128-bit encryption key, and Salesforce will sign a Business Associate Agreement (BAA) for selected products. Salesforce Customers need to request a BAA from their account team on a case-by-case basis.

The list of products that can be covered by a BAA is limited, particularly when it comes to the length of time required to store data to be HIPAA compliant. Event Monitoring services, for example, will only store data for up to 30 days.

The Salesforce HIPAA compliance BAA is also only applicable to data stored in Hyperforce or other Salesforce cloud service it controls, and it does not apply to any third party apps connected to Salesforce.

Finally, Salesforce’s BAA does not cover PHI data in transit between their servers and the user, and instead places the data protection and encryption responsibilities in the hands of the Covered Entity.

So is Salesforce HIPAA compliant? While many products on the Salesforce platform, including Health Cloud, Experience Cloud and Service Cloud, have some level of HIPAA compliance built in, the functionality that is able to be covered by a BAA can be very limited.

What are the penalties for violating HIPAA guidelines?

A HIPAA violation occurs when covered healthcare entities or business associates fail to comply with one or more of the guidance set out in the privacy, security or notification rules.

Penalties vary depending on what tier the violation is said to have occurred under. For example, a tier 1 violation is something that couldn’t have been foreseen or realistically avoided, whereas a tier 4 is where “willful neglect” has resulted in a violation, and there has been no attempt to rectify it.

Fines can be issued from between $137 and $68,928 per violation, as well as criminal charges for intentional violations that could result in a prison sentence.

How to keep your Salesforce data protected with Gearset

By providing a data storage and retrieval process that meets HIPAA compliance, Gearset can assure companies adhering to HIPAA regulations that our software meets their needs, and their data is managed in a compliant way.

You can be confident that the way your PHI data is processed and stored, and your use of the Gearset platform, meets the HIPAA privacy rule, security rule and data breach notification requirements.

Gearset keeps you compliant in a number of ways:

Data backup: Ensure your Salesforce data is backed up at a schedule that meets HIPAA requirements. It’ss encrypted and stored off-site and outside of your Salesforce orgs on a dedicated server. Plus, you can enhance your backup security beyond Shield platform encryption through customer-managed Bring Your Own Key (BYOK).

Data retention: Choose your data retention policy to make sure you maintain copies of data as required, and remove it as soon as you need to.

Data anonymization: Mask any data used in development and testing, with advanced functionality that allows accurate anonymization for data types and regional variations for fully compliant building and testing.

Data recovery: Full and partial recovery using backups in a way that’s familiar, fast and efficient. You can deploy recovered data to dev, prod, and scratch orgs, as part of your disaster recovery strategy.

Data monitoring: Set up configurable smart alerts that warn you when unusual amounts of data have been changed or deleted. You’ll know straight away when it’s time to put your disaster recovery plan into action and begin data recovery.

Data seeding: Seed data from production, sandboxes, or backups to any Salesforce org with HIPAA compliant data deployments.

Auditing with version control: Get a solid overview of how compliant your development process is through version control. Create a single source of truth for all live code, track changes, and create an audit trail to see who has changed what and when.

For Gearset customers who are required to adhere to the HIPAA guidelines, we now offer a BAA as part of our backup and data solutions.

Protect your data with Gearset

You can get full access to all these areas of Gearset and more as part of a free 30-day trial, with nothing to install in your orgs.

Our team of DevOps experts are also on hand to support your journey to Salesforce compliance, and then help you in maintaining HIPAA compliance. Get in touch to book a consultation with our expert team and find out how Gearset can help.

Try all of Gearset for free