5 things to know about Salesforce, HIPAA, and data security

by Paul B. Stevenson, MPA, CPA

When you work in the healthcare industry, everything you do revolves around HIPAA compliance. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a prescriptive set of security standards and requirements intended to protect patient data. HIPAA is so critically important to healthcare organizations, in fact, that healthcare organizations tend to shy away from newer technologies, especially cloud-based solutions. To this day, less than half of healthcare IT professionals report being comfortable using cloud-based solutions, and only 30% have a strategy in place to move their organization’s data to the cloud, according to a 2018 survey assessing healthcare IT professionals’ attitudes toward cloud-based solutions.

But the healthcare industry is changing fast—and increasingly demanding next-generation, cloud-based technology solutions. As healthcare organizations pursue cloud technology, they’re finding that Salesforce has developed a product specifically to meet HIPAA’s exacting requirements for compliance, security, governance, and data reporting. Salesforce’s Health Cloud includes much more than just standard Salesforce security features, like two-factor authentication, IP login restrictions, login history, and fine-grained sharing. Let’s explore five unique aspects of Health Cloud that exemplify Salesforce’s commitment to HIPAA compliance and data security:


1. Private patient communities provide secure collaboration: Salesforce has mastered the art of building robust, engaged communities that are accessible from any device. Salesforce Health Cloud uses this core community-building platform as the basis for promoting collaboration among all of the providers in a patient’s care network. But this platform also has been customized with carefully tailored features designed specifically for the healthcare industry. Every patient in Health Cloud is assigned a private community to which members are added and given defined roles, such as care coordinator, primary physician, and caregiver. From within this private community, community members can view care plans, get answers to common questions, ask patients to fill out forms in advance, and communicate with one another. Significantly, these communications can be done privately, so a physician can message a caregiver, for example, and no one else in the patient’s community will be able to see these communications. Then, when a community member is no longer involved in the patient’s care, they can be removed from the community altogether. All of these HIPAA-compliant features are focused on promoting secure collaboration within a patient’s care network.


2. Event monitoring provides full visibility into all activities: To comply with HIPAA, healthcare organizations need to know the real-time status of patient data—where it is being stored, who has access to it, how it’s being updated and modified, and when it’s at risk of being deleted or exported by the wrong party. Salesforce Health Cloud is designed to meet the need for total visibility into these activities. Through the Salesforce Shield service, Health Cloud continuously monitors what data is being accessed, from what IP address, and what specific actions are being taken with that data. This event monitoring data can be easily retrieved and loaded into any number of visualization tools, enabling suspicious and potentially compromising activities to be spotted easily and rapidly. The end result is that every healthcare provider—from employees of your organization to members of a patient’s extended care network—are held accountable to HIPAA’s privacy and security standards.


3. Unauthorized transactions automatically get blocked: Event monitoring provides critical visibility into day-to-day transactions in Salesforce Health Cloud, but this security tool isn’t just a retroactive safeguard. Salesforce Shield monitoring also includes a flexible, customizable security policy engine to flag or block suspicious transactions automatically. That means you can set up Health Cloud to automatically notify you when sensitive data is being accessed, or to block certain users from performing a risky transaction. Healthcare organizations use the Salesforce Shield security policy engine to prevent sensitive patient data from leaking, either through improper employee transactions or through unauthorized activity by a third-party member of a patient’s care network.


4. Auditing for HIPAA compliance becomes a breeze: Whether you’re conducting an internal HIPAA compliance audit or preparing for a more comprehensive, company-wide audit, Salesforce Health Cloud comes pre-loaded with high-quality tools for conducting forensic-level audits and systematically evaluating all potential risks. Using Salesforce Shield built into Health Cloud, healthcare organizations can access multiple years of audit trail data for dozens of fields per object in Salesforce. Salesforce Field Audit Trails give your organization the ability to go back in time and access a snapshot of the state of your data at any given point in time. Additionally, Salesforce’s auditing capabilities are scalable, so you’re not limited by the types or volume of data you can audit.


5. Encryption keeps your data secure but still accessible: Healthcare organizations instinctively understand that all data needs to be encrypted on a cloud-based platform, but what they often don’t understand is how a third-party platform like Salesforce Health Cloud can access and meaningfully use all of this encrypted data. The answer lies in Salesforce’s approach to data encryption, known as Platform Encryption. Built natively into Salesforce Health Cloud, Salesforce Platform Encryption encrypts data at the metadata layer of a database, enabling Health Cloud to maintain key application functionality even as the data remains encrypted. In other words, features of Health Cloud such as searches, workflows, and validation rules will be unencumbered by Platform Encryption. Platform Encryption also enables healthcare organizations to retain full control over their own unique encryption key and to set encrypted data permissions. And if a healthcare organization has integrated another app with Salesforce, these partner apps also can include and respect encrypted Health Cloud data.


Healthcare organizations will always put the security and privacy of patient data ahead of any technology platform upgrade. Fortunately, Salesforce Health Cloud puts patient security and privacy at the forefront as well, enabling healthcare organizations to breathe easy when it comes to HIPAA compliance. With Health Cloud, healthcare organizations get private patient communities for secure collaboration within a patient’s extended care network, event monitoring for full visibility into activities, automatic blocking of unauthorized transactions, auditing tools designed around HIPAA compliance requirements, and specialized data encryption to maximize data accessibility but minimize risks.

If you’re ready to learn more about how Salesforce Health Cloud can help your organization meet its regulatory compliance obligations, please reach out to the Health Cloud implementation experts at Simplus. We’d be glad to give you a demo of all of Health Cloud’s HIPAA-friendly features.


Paul StevensonPaul is Simplus’ Subject Matter Expert in HLS CRM Strategy. An expert with deep CRM experience in healthcare, telecom, distribution, and financial segments, Paul is a consultant who drives CRM innovations to clear a path for growth in revenue and operational efficiency. He has hands-on experience in developing, marketing, and selling CRM Apps and is a proven project leader with skills to lead CRM integrations with payer, provider, telecom, and proprietary operational and financial information systems.

[email protected]