Skip to content
6 minute read

Is Salesforce HIPAA Compliant? With Enough Add-Ons and Security Customizations, It Can Be

For businesses in healthcare and medical technology, HIPAA compliance is non-negotiable. If you are trying to maintain HIPAA compliance with Salesforce, it will require some extra work.

The challenge with finding HIPAA-compliant software

For businesses in healthcare, the life sciences, and Medtech, HIPAA compliance is non-negotiable. This can make finding CRM software (customer relationship management) a real challenge.

Often times CRM software providers will claim they are HIPAA compliant, but when you dig a little deeper, you discover that they simply offer options that could be used to fulfill a few HIPAA regulations.  

The problem is that using tools that only offer half-measures and workarounds will either fall short of what you need or require a lot of extra effort on the part of you and your team.

What is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act) is a set of standards that governs the collection, storage, and accessibility of PHI (protected health information) in the US.

Any company or business that handles or processes the PHI of US citizens must adhere to these standards. Check out our HIPAA Compliant Software Guide to learn more about HIPAA compliance requirements.

Covered Entities and Business Associates

HIPAA categorizes the groups responsible for safeguarding PHI into two broad categories — Business Associates and Covered Entities 

  • Covered Entities- Covered Entities are businesses, organizations, and individuals that deal directly with patients and patient data. Some common examples include: 
    • Hospitals
    • Clinics
    • Private doctors 
    • Insurance providers
  • Business Associates- Business Associates are businesses, organizations, and individuals that work with Covered Entities and whose work with those entities may involve access or exposure to sensitive data and PHI. Some common examples include:
    • Software companies with access/exposure to PHI
    • Data Processing companies with access/exposure to PHI
    • Lawyers
    • Accountants
Is Salesforce HIPAA compliant?

Business Associate Agreements

HIPAA requires that all Covered Entities sign a Business Associates Agreement (BAA) with any business, organization, or individual who may come into contact with PHI as part of their services.

This agreement details the specific responsibilities and procedures for the handling of sensitive data by the parties and, as such, can differ based on the needs, capabilities, and requirements of the parties involved. That said, a BAA must include the following:

  • What PHI the Business Associate will be able to access
  • What safeguards — physical, technical, and administrative — will be in place to protect the PHI 
  • The procedures for the storage, transfer, and destruction of PHI
  • The procedures to follow in the event of a data breach
  • The procedures to follow when terminating the BAA

Is Salesforce HIPAA compliant?

Salesforce is a Business Associate under HIPAA, but is the Salesforce platform HIPAA compliant?

No. Out of the box, the Salesforce platform is not HIPAA compliant.

That said, Salesforce does offer some security customizations and add-ons that can help you achieve and maintain HIPAA compliance. — for a price.

For example, the Salesforce Shield  Platform Encryption add-on has a set cost of +30% of your existing Salesforce package.

Not only is this hard to calculate (what qualifies as a “technical, compatible Salesforce product”?) but as your business grows the cost of this add-on quickly balloons.  

Achieving and maintaining HIPAA compliance with Salesforce: The Business Associate Agreement

Entering into a BAA with Salesforce can be a frustrating experience. Some common challenges include:

  • Each service may require its own agreement- Salesforce offers a wide array of services, but they don’t all fit together seamlessly. This means that when trying to outline the terms of a BAA, you may be required to sign several different BAAs, each with its own specific rules and guidelines. 

  • Limited/restricted services- Salesforce does not offer a BAA for all of its services. Even those it does may have limits placed upon the use of those services or on the protections of the BAA when using those services. 

  • Lack of transparency- There is no publicly available document that details the general guidelines of Salesforce’s BAAs. A Salesforce account representative is required to gather even cursory information about a BAA.

Achieving and maintaining HIPAA compliance with Salesforce: Security customizations

To achieve and maintain HIPAA compliance with Salesforce, you will need to customize data security controls such as:

  • Passwords- You will need to customize the rules regarding password length, complexity, authentication, and frequency of password changes to meet HIPAA guidelines. 

  • Role-based access- You will need to customize the rules around information access in your organization. You will need to set clear guidelines around who can access your salesforce data, from where, how often, and on what devices.

  • Automatic logout parameters- You will need to customize your automatic logout parameters to comply with HIPAA guidelines.
CRM for Med Tech: Security Considerations
Is Salesforce HIPAA compliant?

Achieving and maintaining HIPAA compliance with Salesforce: Add-ons

The Salesforce Shield Platform Encryption add-on is essential to achieving and maintaining HIPAA compliance. It provides:

  • More secure data encryption- The out-of-the-box encryption of Salesforce data is limited in functionality and scope.  

The Salesforce Shield Platform Encryption add-on features 256-bit AES (Advanced Encryption Standard) instead of the 128-bit AES that comes standard and allows you to encrypt more types of fields and data (documents, spreadsheets, databases).

  • More comprehensive activity monitoring- The Salesforce Event Monitoring tool is included with the Shield Platform Encryption add-on. It allows you to track ePHI access (who, when), user activity, and app use.

Additionally, with Field Audit Trail (also included in the Shield Platform Encryption add-on), you can monitor more fields (3x more) and archive data for up to 10 years.

Achieving and maintaining HIPAA compliance with Salesforce: 3rd party data storage/backup tools and in-transit encryption

Even with all these customizations and add-ons, you will need to look to 3rd party solutions to address the following: 

  • 3rd party data storage/backup tools- Salesforce’s native backup solution is not enough to achieve and maintain HIPAA compliance. You will need to source a data backup solution to help you capture and store your event monitoring logs to meet HIPAA requirements.

  • In-transit encryption- Salesforce takes no responsibility for in-transit data encryption. It is on the Covered Entity to find a solution for this.

FreeAgent can help you achieve and maintain HIPAA compliance without all the add-ons

FreeAgent is a HIPAA-compliant CRM that understands businesses’ unique needs and requirements in healthcare, the life sciences, and Medtech. 

With FreeAgent you get hassle-free HIPAA. That means:

  • No 3rd party BAAs
  • No extra expense
  • No risk

Try FreeAgent CRM today, for free, and discover why work’s better with FreeAgent on your team.

Share the love

Related Posts

Med Tech

CRM, Healthcare, Med Tech

Every Med Tech business is unique, and an important differentiator is whether a CRM can adapt to your specific work processes.


Healthcare, Statistics

We researched the most important statistics to give you a better picture of data security in the healthcare sector. Here are 15 healthcare data breach statistics for 2023.

Med Tech

CRM, Healthcare, Med Tech

Perhaps no single consideration is more significant to companies in Med Tech than security. For a CRM vendor to even be at the table, it must be able to ensure the secure handling and storage of sensitive information.

Lead the way
to a better workday

Connect with our CRM experts to
unleash your team’s potential.

We use cookies to improve your browsing experience. By accepting this, you agree to our Privacy Policy

Play Video
Play Video