Audit preparation has a way of exposing uncomfortable truths, and one of the most common is that archived Salesforce data no longer carries the controls applied in active systems. For compliance managers and Salesforce administrators, that realization creates immediate pressure: archived ePHI still falls under federal safeguards, yet standard platform archiving can quietly strip the protections that kept the data defensible in the first place.

This article lays out a practical framework for data archiving in Salesforce—which regulatory requirements apply to archived ePHI, where standard platform capabilities fall short, and the five controls that close the gap. Every section maps to an enforceable standard rather than general best practice, so teams walk away with controls they can defend during an audit and a retrieval approach that doesn't open new security gaps along the way.

What HIPAA and HITECH Require for Archived Data

Archived Salesforce data is subject to the same safeguards as active ePHI, which means retention gaps, weak controls, and incomplete records all translate directly into audit exposure. The sections below pull those requirements into a single Salesforce-focused reference.

Retention floors vary by program participation

HIPAA compliance documentation carries a six-year retention period from creation or last effective date, but CMS program rules layer additional floors on top: seven years for Medicare Part A/B ordering physician records and ten years for Medicare Part D sponsor records. When multiple frameworks apply, organizations have to follow the longest period across all of them.

Technical safeguards apply to all systems containing ePHI, including archives

Archived ePHI does not sit outside active security requirements. NIST SP 800-66r2 makes no distinction between active and archived ePHI when applying required specifications, which means archive design in Salesforce has to carry these standards across every storage tier:

• Access control (45 CFR § 164.312(a)(1)): Unique user identification and emergency access procedures are required, not addressable
• Audit controls (45 CFR § 164.312(b)): Hardware, software, and procedural mechanisms recording all activity carry no alternative
• Integrity controls (45 CFR § 164.312(c)(1)): Policies protecting ePHI from improper alteration or destruction
• Authentication (45 CFR § 164.312(d)): Identity verification for all access to ePHI systems, including archives

Enforcement penalties reach seven figures

When control failures persist, HITECH penalties get expensive fast. Willful neglect that isn't corrected within 30 days carries penalties up to $1,500,000 yearly, and in 2024 Warby Parker drew a $1,500,000 penalty for exactly that pattern—inadequate risk analysis paired with insufficient review of information system activity records. Lack of administrative safeguards for ePHI remains one of the most frequently cited violation categories in OCR enforcement data.

Where Standard Salesforce Archiving Falls Short

Standard Salesforce archiving leaves documented compliance gaps for healthcare data, with the main conflicts clustered around encryption, retention duration, and data integrity—any one of which can put archived ePHI out of step with the requirements above.

Encryption is the most consequential gap. Salesforce Big Objects, the platform's primary large-scale archiving mechanism, do not support Shield encryption, so encrypted ePHI from standard or custom objects is stored as clear text once it's archived to a custom Big Object. Compounding the problem, Shield Platform Encryption itself is a paid add-on, which limits at-rest encryption options on standard licenses.

Retention duration creates a second structural conflict. Standard Field History Tracking retains data for 18 to 24 months depending on access method—18 months through the UI, 24 through the API—and extending beyond that requires Salesforce Shield's Field Audit Trail feature or an external archive. Either way, the default leaves a significant gap against the six-year floor.

A handful of additional limitations compound these issues:

• A single archiving policy is limited to 2 million records, which requires multiple policies for larger datasets
• Big Objects provide no standard UI, which requires custom development for viewing archived records
• PII anonymization for archived records remains in Beta status, which requires added caution for regulated data

5 Requirements for Compliant Healthcare Archiving

Compliant healthcare archiving in Salesforce comes down to five controls, each mapped to an enforceable standard or a documented failure mode. Compliance managers can use the list as a checkpoint for archive design, change control, and retrieval workflows.

1. Field-level data classification before archiving begins

Classification has to be assigned when data is created, not retrofitted during archiving. The Compliant guide calls for field-level definition of applicable regulations, data owner, sensitivity level, and usage status—settings that go on to shape archive rules and governance decisions long before records move into lower-cost storage. Without them, governance over archived data isn't defensible.

2. Encryption that persists across all storage tiers

Archived ePHI has to retain encryption at rest and in transit. NIST maps this requirement to SC-28, protection of information at rest, which drives both storage design and how teams document controls around archived records. Key management needs to be formally documented as part of that picture, including key holders, rotation schedules, and disposition procedures.

3. Tamper-resistant audit trails covering the full record lifecycle

Tamper-resistant logging is a core archive control, not an optional add-on—federal health IT certification criteria explicitly require tamper-resistant logs. For Salesforce archives, that means every record access and archive-related action needs a complete, reviewable history capturing user identity, role at time of access, timestamp, record identifier, and action taken. Collection without regular review isn't enough on its own, as the Memorial Healthcare System $5.5 million settlement made clear.

4. Referential integrity preservation during archival

Salesforce data models depend on parent-child relationships, and those relationships have to stay intact for archived data to retain its clinical and legal meaning. Archive a patient record without its related child records and you're left with orphaned data—and during record production, a broken referential chain can prevent an organization from demonstrating that its archived records are complete.

5. Tested retrieval workflows for patient access compliance

Archived records still have to be retrievable for patient access, because individuals retain the right to access PHI even when it sits in an archive—a standard reinforced in the ONC Playbook. In Salesforce, that shapes retrieval workflow design and the response time each archive tier needs to support, and cold-tier storage can't be allowed to make that access operationally infeasible. Retrieval SLAs should be documented for each storage tier and tested at regular intervals.

Building a Compliant Archiving Strategy

The regulatory ground under archived ePHI is shifting. A proposed federal security rule update would require compliance audits at least every 12 months, along with annual verification of technical safeguards by business associates. If it's finalized, point-in-time readiness stops being enough—continuous, evidence-backed control over archived data becomes the baseline OCR investigators and business-associate auditors will expect to see on demand.

That shift changes the economics of the archiving decisions teams are making right now. Every archive policy deployed without persistent encryption, every change pushed without a reviewable trail, and every retrieval workflow left untested compounds into audit exposure that only grows more expensive the longer it sits. The organizations that come through the new cadence in the best shape will be the ones treating archive governance as a living program—where retention schedules, audit trails, and deployment history are instrumented continuously rather than reconstructed days before an audit.

Waiting until the rule is finalized is the costliest path forward. Control gaps identified now can be closed methodically; the same gaps discovered under audit pressure rarely can. Request a demo with Flosum to see how continuous audit trails and policy-based deployment controls can make your archived ePHI defensible before the next compliance cycle—not after.