Organizations using Salesforce are often subject to the Health Insurance Portability and Accountability Act (HIPAA), meaning their customer data must be protected to the highest security standards. To guarantee compliance with HIPAA, customers must adhere to specific regulations set forth by the US Department of Health and Human Services (HHS). This guide will provide a comprehensive step-by-step guide for Salesforce customers to ensure HIPAA compliance on Salesforce.

The HHS governs HIPAA and provides the regulations and associated requirements to comply. All of the regulations, when it comes to Salesforce, fall under the Administrative Simplification section of HIPAA. It outlines the rules that must be followed for healthcare and healthcare related organizations that use Salesforce or other cloud services. These include the Privacy Rule, Security Rule, and the Breach Notification Rule.

To begin compliance, the organization must first sign a business associate agreement (BAA). The BAA legally binds an organization to protect any PHI in accordance with HIPAA compliance standards. If PHI is needed, customers must enter into a business associate agreement with Salesforce. The BAA must also include a clause that explains Salesforce will not permit the customer to store or transmit any PHI on their platform.

Once this agreement is in place, organizations must ensure they understand the requirements associated with Privacy Rule. This requires that covered entities must include specifics on how the end user’s data is used, who can access the data, and any potential risks associated with it. The Security Rule requires organizational compliance with the Administrative Safeguards, Physical Safeguards, and Technical Safeguards of HIPAA. The Administrative Safeguards include designation of a Security Officer to oversee data compliance, documentation of risk analysis, and documentation of a contingency plan. The Physical Safeguards require organizations to physically maintain data and access control. Lastly, the Technical Safeguards include encryption of all data in transit and data at rest, as well as authentication and access control.

The Breach Notification Rule is also important in adhering to HIPAA compliance. The rule states that if a breach of PHI is suspected, the covered entity must act immediately to investigate the issue. It is essential that organizations have effective procedures in place to detect any potential breaches and remediate them promptly. Additionally, if the breach is suspected to have been caused by the Salesforce platform, organizations must notify Salesforce of the breach and provide the necessary information to rectify the breach.

It is essential that all organizations that use Salesforce and are subject to HIPAA understand and comply with the regulations set forth by HHS. To ensure HIPAA compliance on Salesforce, customers must sign a BAA with Salesforce, maintain a deep knowledge of Privacy Rule, Security Rule, and the Breach Notification Rule, as well as implement the proper procedures to detect potential breaches. Utilizing an advanced Salesforce release management, Salesforce data backup and recovery, and Salesforce security solution will also help establish an extra level of security and decrease the risk of PHI breaches.


SFDC best practices


Salesforce tools

signup for our blog


“Flosum is the best native release management tool that you will fall in love with. I have gained confidence in my role and has given me the ability to view release management from a whole different perspective.”

Faizan Ali

Faizan Ali
Salesforce Consultant at Turnitin