HIPAA Compliance
Safeguard your Protected Health Information with confidence
Protect sensitive health data and meet HIPAA standards with ease
HIPAA compliance made simple
Data backup
Schedule secure backups that meet HIPAA standards. Encrypted data is stored off-site with the option for customer-managed Bring Your Own Key (BYOK).
Data retention
Tailor retention policies to meet regulations, keeping data only as long as required.
Data anonymization
Mask sensitive data in development and testing environments while maintaining accuracy for building and testing.
Streamlined data management
Data recovery
Recover lost or corrupted data quickly. Deploy recovered data to any org as part of your disaster recovery strategy.
Data monitoring
Configure smart alerts to detect unusual changes or deletions, so you can act immediately to protect PHI.
Data seeding
Seamlessly seed compliant data into sandboxes or production environments.
Auditing with version control
- Download a full report for auditors, and stay up to date with HIPAA compliance regulations.
- Get a solid overview of how compliant your development process is through version control.
- Create a single source of truth for all live code and see who changed what and when with a full audit trail of every change made in Salesforce.
Security you can trust
For organizations handling Protected Health Information (PHI), Gearset offers a separate, HIPAA-compliant infrastructure in the US. We can also sign a Business Associate Agreement (BAA), ensuring that how we handle PHI aligns with HIPAA regulations.
Gearset is ISO 27001 certified and offers you enterprise-grade security. Your Salesforce data and metadata is encrypted in transit and at rest, hosted on the same AWS data centers trusted by Salesforce, with 24/7 intrusion detection.
2800+ customers trust Gearset
If we had a complete failure, I’m confident our data is safe in our Gearset backups and we’d be able to restore. We’ve got that peace of mind.
Chris Deutschmann
Sage People Configuration Consultant, Sage
HIPAA FAQs
The US Department of Health and Human Services (HHS) has set up some crucial guidelines to protect US citizens’ health information. Known as the HIPAA Privacy Rule, it’s all about safeguarding sensitive health data and keeping patients’ information secure.
There’s also the HIPAA Security Rule which takes things a step further by laying down national standards to protect health data when it’s stored or transmitted electronically. For business associates of healthcare providers and related companies, there’s a notification rule that requires any breach of information to be disclosed to them within 60 days.
To make sure these rules are followed, the Office for Civil Rights (OCR) within HHS is responsible for making sure healthcare providers and related companies are complying with these privacy and security measures, using both voluntary compliance efforts and penalties when needed. It’s all about keeping electronic PHI (e-PHI) safe and secure.
HIPAA compliance is a requirement for any US company that maintains PHI data on behalf of its patients, customers, employees, students or other individuals.
These companies are known as Covered Entities, and according to the US Department of Health and Human Services (HHS) they include:
Healthcare providers
Including doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, and hospitals.Health plans
Including health insurance companies, health maintenance organizations (HMOs), company health plans, and government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs.Healthcare clearinghouses
Entities that process non-standard health information they receive from another entity into a standard form of PHI (such as standard electronic format or data content), or vice versa.Business associates
Firms that deal with PHI on behalf of healthcare companies, including claims processors, accounting firms, consultants, transcriptionists, and pharmacist network management.
This isn’t a simple question to answer, but if your company is using Salesforce to manage and store PHI, then you’ll need to make sure that your Salesforce orgs are HIPAA compliant.
This also applies to data in transit between orgs, data stored in backups and in archives.
Some Salesforce functionality is HIPAA compliant by default, such as their HTTPS connection requirement and 128-bit encryption key, and Salesforce will sign a Business Associate Agreement (BAA) for selected products. Salesforce Customers need to request a BAA from their account team on a case-by-case basis.
The list of products that can be covered by a BAA is limited, particularly when it comes to the length of time required to store data to be HIPAA compliant. Event Monitoring services, for example, will only store data for up to 30 days.
The Salesforce HIPAA compliance BAA is also only applicable to data stored in Hyperforce or other Salesforce cloud service it controls, and it does not apply to any third party apps connected to Salesforce.
Finally, Salesforce’s BAA does not cover PHI data in transit between their servers and the user, and instead places the data protection and encryption responsibilities in the hands of the Covered Entity.
So is Salesforce HIPAA compliant? While many products on the Salesforce platform, including Health Cloud, Experience Cloud and Service Cloud, have some level of HIPAA compliance built in, the functionality that is able to be covered by a BAA can be very limited.
A HIPAA violation occurs when covered healthcare entities or business associates fail to comply with one or more of the guidance set out in the privacy, security or notification rules.
Penalties vary depending on what tier the violation is said to have occurred under. For example, a tier 1 violation is something that couldn’t have been foreseen or realistically avoided, whereas a tier 4 is where "willful neglect" has resulted in a violation, and there has been no attempt to rectify it.
Fines can be issued from between $137 and $68,928 per violation, as well as criminal charges for intentional violations that could result in a prison sentence.
Take control of your PHI with Gearset
Our team of DevOps experts are on hand to support your journey to Salesforce compliance, and then help you in maintaining HIPAA compliance. Get in touch to book a consultation with our expert team and find out how Gearset can help.
#1 Salesforce DevOps for every industry and every team
