The challenge with finding HIPAA-compliant software
For businesses in healthcare, the life sciences, and Medtech, HIPAA compliance is non-negotiable. This can make finding CRM software (customer relationship management) a real challenge.
Often times CRM software providers will claim they are HIPAA compliant, but when you dig a little deeper, you discover that they simply offer options that could be used to fulfill a few HIPAA regulations. Â
The problem is that using tools that only offer half-measures and workarounds will either fall short of what you need or require a lot of extra effort on the part of you and your team.
What is HIPAA?
HIPAA (Health Insurance Portability and Accountability Act) is a set of standards that governs the collection, storage, and accessibility of PHI (protected health information) in the US.
Any company or business that handles or processes the PHI of US citizens must adhere to these standards. Check out our HIPAA Compliant Software Guide to learn more about HIPAA compliance requirements.
Covered Entities and Business Associates
HIPAA categorizes the groups responsible for safeguarding PHI into two broad categories — Business Associates and Covered EntitiesÂ
- Covered Entities- Covered Entities are businesses, organizations, and individuals that deal directly with patients and patient data. Some common examples include:Â
- Hospitals
- Clinics
- Private doctorsÂ
- Insurance providers
- Business Associates- Business Associates are businesses, organizations, and individuals that work with Covered Entities and whose work with those entities may involve access or exposure to sensitive data and PHI. Some common examples include:
- Software companies with access/exposure to PHI
- Data Processing companies with access/exposure to PHI
- Lawyers
- Accountants
Business Associate Agreements
HIPAA requires that all Covered Entities sign a Business Associates Agreement (BAA) with any business, organization, or individual who may come into contact with PHI as part of their services.
This agreement details the specific responsibilities and procedures for the handling of sensitive data by the parties and, as such, can differ based on the needs, capabilities, and requirements of the parties involved. That said, a BAA must include the following:
- What PHI the Business Associate will be able to access
- What safeguards — physical, technical, and administrative — will be in place to protect the PHIÂ
- The procedures for the storage, transfer, and destruction of PHI
- The procedures to follow in the event of a data breach
- The procedures to follow when terminating the BAA
Is Salesforce HIPAA compliant?
Salesforce is a Business Associate under HIPAA, but is the Salesforce platform HIPAA compliant?
No. Out of the box, the Salesforce platform is not HIPAA compliant.
That said, Salesforce does offer some security customizations and add-ons that can help you achieve and maintain HIPAA compliance. — for a price.
For example, the Salesforce Shield Platform Encryption add-on has a set cost of +30% of your existing Salesforce package.
Not only is this hard to calculate (what qualifies as a “technical, compatible Salesforce product”?) but as your business grows the cost of this add-on quickly balloons. Â
Achieving and maintaining HIPAA compliance with Salesforce: The Business Associate Agreement
Entering into a BAA with Salesforce can be a frustrating experience. Some common challenges include:
- Each service may require its own agreement- Salesforce offers a wide array of services, but they don’t all fit together seamlessly. This means that when trying to outline the terms of a BAA, you may be required to sign several different BAAs, each with its own specific rules and guidelines.Â
- Limited/restricted services- Salesforce does not offer a BAA for all of its services. Even those it does may have limits placed upon the use of those services or on the protections of the BAA when using those services.Â
- Lack of transparency- There is no publicly available document that details the general guidelines of Salesforce’s BAAs. A Salesforce account representative is required to gather even cursory information about a BAA.
Achieving and maintaining HIPAA compliance with Salesforce: Security customizations
To achieve and maintain HIPAA compliance with Salesforce, you will need to customize data security controls such as:
- Passwords- You will need to customize the rules regarding password length, complexity, authentication, and frequency of password changes to meet HIPAA guidelines.Â
- Role-based access- You will need to customize the rules around information access in your organization. You will need to set clear guidelines around who can access your salesforce data, from where, how often, and on what devices.
- Automatic logout parameters- You will need to customize your automatic logout parameters to comply with HIPAA guidelines.
Achieving and maintaining HIPAA compliance with Salesforce: Add-ons
The Salesforce Shield Platform Encryption add-on is essential to achieving and maintaining HIPAA compliance. It provides:
- More secure data encryption- The out-of-the-box encryption of Salesforce data is limited in functionality and scope. Â
The Salesforce Shield Platform Encryption add-on features 256-bit AES (Advanced Encryption Standard) instead of the 128-bit AES that comes standard and allows you to encrypt more types of fields and data (documents, spreadsheets, databases).
- More comprehensive activity monitoring- The Salesforce Event Monitoring tool is included with the Shield Platform Encryption add-on. It allows you to track ePHI access (who, when), user activity, and app use.
Additionally, with Field Audit Trail (also included in the Shield Platform Encryption add-on), you can monitor more fields (3x more) and archive data for up to 10 years.
Achieving and maintaining HIPAA compliance with Salesforce: 3rd party data storage/backup tools and in-transit encryption
Even with all these customizations and add-ons, you will need to look to 3rd party solutions to address the following:Â
- 3rd party data storage/backup tools- Salesforce’s native backup solution is not enough to achieve and maintain HIPAA compliance. You will need to source a data backup solution to help you capture and store your event monitoring logs to meet HIPAA requirements.
- In-transit encryption- Salesforce takes no responsibility for in-transit data encryption. It is on the Covered Entity to find a solution for this.
FreeAgent can help you achieve and maintain HIPAA compliance without all the add-ons
FreeAgent is a HIPAA-compliant CRM that understands businesses’ unique needs and requirements in healthcare, the life sciences, and Medtech.Â
With FreeAgent you get hassle-free HIPAA. That means:
- No 3rd party BAAs
- No extra expense
- No risk
Try FreeAgent CRM today, for free, and discover why work’s better with FreeAgent on your team.