Salesforce Service Cloud and HIPAA Compliance

August 2, 2016

Pete Cafarchio

Q: My company sells to the healthcare industry.  Is it a HIPAA violation when my Customer Service Rep replies to a support ticket on Service Cloud?  I mean, Salesforce is HIPAA compliant, right?

A: You very well may be in violation of HIPAA standards.  Here’s why.

Yes, the Salesforce platform itself can be made HIPAA compliant.  Salesforce will sign a Business Associates Agreement (BAA) and if you connect Shield you’ll get monitoring, encryption, and auditing functionality of your Salesforce instance.  But that’s only part of the compliance story because it only covers the data while it’s residing within the Salesforce ecosystem – the data at rest.New call-to-action

HIPAA also applies to data in motion.  Simply stated; data containing protected health information traveling over a public network (like the Internet) must be encrypted in transit.

So let’s take a look at your scenario:  Suppose you’re a CSR using Service Cloud to view a new support ticket.  A customer sends an inquiry explaining that his doctor wants him to get additional testing to rule out prostate cancer and he wants to know if his insurance covers the new tests.  The customer’s contact information plus a medical condition equals Protected Health Information (PHI) and needs to comply with HIPAA.

While you’re viewing the information on Service Cloud, it’s covered by HIPAA (see the first paragraph above).  But when you reply to that ticket the PHI is almost always copied as part of the ongoing dialogue thread and is sent from your company to the customer via email or other messaging format.  It’s now data in motion traveling over the Internet, and your company (not Salesforce) is responsible to encrypt the message before it’s sent.

Luckily, there are solutions, like DataMotion SecureMail, that integrate easily with Salesforce, and have the ability to filter by policy rules and keywords and automatically encrypt messages containing PHI.  Our solution also adds logging and tracking for better visibility and governance (proof you need in the event of a HIPAA audit by the feds)!

Summary

Yes, the Salesforce Platform can be made HIPAA compliant.  But when you reply to a Service Cloud ticket, that’s data in motion and it’s not Salesforce’s responsibility.  Your company needs to ensure those messages are encrypted between Salesforce and your customers.  If not, you’re subject to fines, penalties and loss of reputation.

 

Pete Cafarchio

Pete Cafarchio

Pete leads the business development function for DataMotion. He has served many roles over the past twenty years to successfully launch multiple companies and product lines. Before coming to DataMotion in 2008, Pete was Director of Business Development, Worldwide Channel Strategy at CA, Inc. Prior to that he helped build PestPatrol, inc. into a successful anti-spyware company. While there, he brokered key OEM partnerships with Yahoo and Dell as well as CA’s acquisition of PestPatrol. Prior to that he served in sales and product management functions at TruSecure Corporation, and established the development office for a non-profit charity.

Featured Customers and Partners