Resources /
Blog

How to Make Salesforce HIPAA-Compliant

Submit your details to get a book

Min Read
Resources /
Blog

How to Make Salesforce HIPAA-Compliant

Download

Submit your details to get a book

Min Read

Compliance reviews fall apart when a team cannot show who changed Salesforce permissions before an audit, and releases create their own risk when metadata changes expose PHI fields with no clean rollback path. Salesforce provides platform security tools, but customers still own configuration and access responsibility.

That ownership gap is where most compliance problems start. Even when core platform security is in place, release operations can open audit and access gaps that undermine it. Permissions, metadata, and approvals all change risk at release time, which means HIPAA compliance depends on controlling deployments as tightly as stored data.

This article explains why Salesforce teams should treat deployment governance as a formal safeguard, with release processes that preserve evidence, validate access changes, and stop unsafe configuration before it reaches production.

What HIPAA Requires for Salesforce Environments

HIPAA safeguards apply directly to Salesforce releases, which means deployment changes must be governed like ePHI access. HIPAA requirements reach into Salesforce configuration and deployment, not only the records stored in the platform. Release processes can change who sees ePHI, how changes are tracked, and whether an audit trail exists when regulators ask for proof.

Technical safeguards under 45 CFR § 164.312

The HIPAA Security Rule organizes ePHI protection into Administrative, Physical, and Technical Safeguards. NIST SP 800-66 Revision 2, published February 2024, confirms that Technical Safeguards apply directly to platform configuration. Five standards matter here:

  • Access controls (§ 164.312(a)): Unique user identification is required. Encryption and decryption are addressable.
  • Audit controls (§ 164.312(b)): Systems containing ePHI must record and support review of activity.
  • Integrity controls (§ 164.312(c)): Organizations must verify that ePHI is not improperly altered or destroyed.
  • Person/entity authentication (§ 164.312(d)): Anyone accessing ePHI must have a verified identity.
  • Transmission security (§ 164.312(e)): Data must stay protected during transmission.

Documentation retention under § 164.316(b)(2)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164#p-164.316\(b\)\(2\))) for these standards requires records to remain available for six years from creation or last effective date. For Salesforce teams, that requirement extends beyond data access logs. It also affects deployment evidence and change documentation.

2026 Security Rule updates

Several proposed Security Rule updates would make Salesforce release governance more explicit. Controls tied to deployment, recovery, and authentication would move from discretionary interpretation to explicit requirement.

The HHS proposed rule for 2025–2026 raises several controls from addressable to required.

  • Encryption: Encryption of ePHI at rest and in transit becomes mandatory. Salesforce customers must enable Shield Platform Encryption or equivalent controls across all orgs that store or process ePHI.
  • Multi-factor authentication: MFA becomes mandatory for all users accessing ePHI. Salesforce teams must enforce MFA across every login path, including API access and CI/CD service accounts used in deployment pipelines.
  • Backup and recovery: Backup becomes mandatory, with a 72-hour recovery objective. Salesforce customers must maintain recoverable snapshots of both data and metadata so orgs can be restored to a known-good state within that window.
  • Configuration management: Formal configuration management becomes required. Salesforce teams must track and document every metadata change, including profiles, permission sets, and sharing rules, against a controlled baseline.
  • Secure deployment: Secure deployment practices become required. Salesforce releases must follow governed pipelines that validate changes before production and prevent unauthorized or untested metadata from reaching live orgs.
  • Semi-annual scanning: Vulnerability scanning on a semi-annual cadence becomes required. Salesforce environments must be assessed regularly for misconfigurations, overprivileged access, and exposed ePHI fields.

The shared responsibility model

Understanding where Salesforce responsibility ends and customer responsibility begins is critical. That boundary matters because release processes, retention practices, and access reviews are not compliant by default.

Salesforce makes clear that data access and usage in the platform remains a customer responsibility. Salesforce supplies tools that support compliance. It does not make customer environments compliant by default.

Customers must license Shield separately, enable encryption, configure access controls, define retention practices, and maintain compliance documentation. That shared model is why deployment governance matters as much as platform security settings.

Where Standard Salesforce Tools Fall Short

Even with ePHI properly secured at rest, standard Salesforce tools leave compliance gaps in the release process. A team can protect stored ePHI and still fail an audit, or expose data if metadata changes reach production without durable records and pre-release control checks.

Retention gaps

The clearest example is Setup Audit Trail. Salesforce tracks changes to user permissions, security settings, and configuration modifications for exactly 180 days before automatic deletion. But HIPAA documentation rules require six years of retention under § 164.316(b)(2)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164#p-164.316\(b\)\(2\))), creating a gap that is significantly shorter than the multi-year retention periods required by regulations. Unlike other retention features, Setup Audit Trail has no native extension option, so organizations requiring proof of configuration change controls beyond six months must implement external archiving before data reaches the automatic purge threshold.

Salesforce also states that Field Audit Trail covers field history, not deployment operations or metadata changes. That means even with Shield enabled, there is no native mechanism to retain a durable record of what metadata changed during a release, who initiated it, or what validation occurred beforehand.

Pre-release control gaps

Standard deployment methods do not catch access risks before release, leaving teams to discover problems after ePHI exposure has already occurred:

  • Salesforce developer guidance notes that missing dependencies often cause deployment failures, but standard tools do not automatically detect when a profile change expands field access to PHI. A permission set update that grants read access to a diagnosis field, for example, will deploy without any flag — even if it violates least-privilege requirements.
  • Change Sets do not provide rollback and do not enforce a deployment gate that checks whether permission changes preserve least-privilege access. Deploying change sets to a destination org is final — you cannot undo the changes if needed, meaning end-users are stuck until you can reverse all the changes manually. The Change Sets Salesforce provides also do not offer robust risk analysis or visibility into the effects of changes being rolled out.

Documentation gaps

Native tools do not generate a full record of:

  • Who approved a release and when the approval was granted
  • What security review occurred before the deployment reached production
  • How access controls were validated after deployment completed
  • Whether the release changed field-level security, sharing rules, or permission assignments

Without that record, teams must reconstruct deployment history manually during an audit — a process that is both time-intensive and error-prone. That matters because OCR settlements have cited organizations for missing access policies and procedures around ePHI, and incomplete documentation is often what turns a technical gap into an enforcement action.

What Compliant Deployment Controls Require

Closing these gaps requires specific release controls that make Salesforce deployment governance auditable and repeatable. Those controls must capture proof during the pipeline and block unsafe changes before production.

Core control requirements

The core controls below map release operations to the HIPAA safeguard expectations in the previous section. Together, they give teams a way to prove what changed, restore a known state, and verify that access did not widen during deployment.

  • Deployment audit records: Capture who initiated a release, what changed, what validation ran, and who approved it. Keep those records for the mandated retention period.
  • Version control and rollback: Track each configuration change against a known baseline. Support restoration as a controlled pipeline action, which aligns with the 72-hour recovery requirement and tested restoration.
  • Policy gates: Validate access changes before production. Check permissions, sharing rules, and field-level security so releases do not broaden ePHI access.
  • Automated documentation: Produce release records, approvals, and validation results from the pipeline itself. That supports required configuration management without relying on manual follow-up.

These controls matter because HIPAA compliance depends on repeatable operations, not one-time configuration work. In Salesforce, every release can change access, metadata behavior, or audit readiness. The deployment process has to be part of the control system.

Closing the Compliance Gap

Healthcare organizations handling ePHI cannot rely on platform tools alone — a single unmanaged release can weaken access controls or break audit defensibility, even when platform security settings stay unchanged. Closing the gap requires release operations that preserve a clear control record, support controlled restoration, and block unsafe changes before they reach production.

DevOps solutions purpose-built for Salesforce embed those controls directly in the workflow, so compliance evidence comes from the release process itself rather than manual reconstruction during an audit. When deployment records disappear, permission changes slip through review, or rollback depends on manual effort, the audit gap is already open. Treating deployments as compliance-controlled operations closes that gap before release day — and when audit deadlines approach, complete deployment history cuts review time and eliminates the documentation scramble.

Request a demo with Flosum to explore how automated audit trails support compliance requirements.

Table Of Contents
Example H3
Example H4
Example H5
Example H6
Author
Matt Lyman
Stay Up-to-Date
Get flosum.com news in your inbox.

Thank you for subscribing

Share
Blog

Recent Blogs

min read
April 3, 2026
Zero Trust and Salesforce: A Perfect Match for Secure Data Governance
Read More
min read
April 3, 2026
How to Transform Salesforce Security with the Zero-Trust Security Model
Read More
min read
April 3, 2026
The Zero Trust Framework for Salesforce: Building a Holistic Security Model
Read More
The Only Native Solution Certified by Salesforce

Hyperforce-compliant, meets data residency and privacy laws, enforces zero-trust architecture

Book a Meeting
Send me news about Flosum products, releases, and events.

Thank you for subscribing to the Flosum newsletter.

Unlock Your Salesforce Potential.
Products
DevOpsBackup and ArchiveTrust CenterData SeedingDevOps for Veeva
Solutions
Risk and Governance Zero-Trust SecuritySOX Compliance Use CaseOptimize Salesforce InvestmentsEstablish Salesforce CoE
Company
LeadershipFlosum AdvantageInvestorsOur StoryPartnersContact UsOperating PrinciplesOur StoryBeyond Certifications
Resources
BlogsCustomer StorieseBooksSolution SheetsWebinarsWhite PapersPress Releases
Support
Customer SuccessCertification
Partners
Partner
Follow Us
LinkedIn
YouTube
X (formerly Twitter)
© 2026 Flosum. All rights reserved.
Terms of Use
(844) 335-6786
hello@flosum.com