The , or HIPAA, requires health care professionals to take the relevant steps to protect their patients鈥 data at all costs.
Companies that deal with this protected health information (PHI), whether it鈥檚 a telephone number or a full medical record, must have physical, network, and process security measures in place to be HIPAA compliant. And it鈥檚 not enough to just have the measures in place, they have to be followed correctly.
In this article, we鈥檒l look at what HIPAA means for companies that use Salesforce to manage PHI, and how they can remain compliant.
What is HIPAA compliance?
The US Department of Health and Human Services (HHS) has set up some crucial guidelines to protect US citizens鈥 health information. Known as the HIPAA Privacy Rule, it鈥檚 all about safeguarding sensitive health data and keeping patients鈥 information secure.
There鈥檚 also the HIPAA Security Rule which takes things a step further by laying down national standards to protect health data when it鈥檚 stored or transmitted electronically. For business associates of healthcare providers and related companies, there鈥檚 a notification rule that requires any breach of information to be disclosed to them within 60 days.
To make sure these rules are followed, the Office for Civil Rights (OCR) within HHS is responsible for making sure healthcare providers and related companies are complying with these privacy and security measures, using both voluntary compliance efforts and penalties when needed. It鈥檚 all about keeping electronic PHI (e-PHI) safe and secure.
TDX
Who needs to be HIPAA compliant?
HIPAA compliance is a requirement for any US company that maintains PHI data on behalf of its patients, customers, employees, students or other individuals.
These companies are known as Covered Entities, and according to the US Department of Health and Human Services (HHS) they include;
Healthcare providers
Including doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, and hospitals.
Health plans
Including health insurance companies, health maintenance organizations (HMOs), company health plans, and government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs.
Healthcare clearinghouses
Entities that process non-standard health information they receive from another entity into a standard form of PHI (such as standard electronic format or data content), or vice versa.
Business associates
Firms that deal with PHI on behalf of healthcare companies, including claims processors, accounting firms, consultants, transcriptionists, and pharmacist network management.
Is Salesforce HIPAA compliant?
This isn鈥檛 a simple question to answer, but if your company is using Salesforce to manage and store PHI, then you鈥檒l need to make sure that your Salesforce orgs are HIPAA compliant.
This also applies to data in transit between orgs, data stored in backups and in archives.
Some Salesforce functionality is HIPAA compliant by default, such as their HTTPS connection requirement and 128-bit encryption key, and Salesforce will sign a Business Associate Agreement (BAA) for selected products. Salesforce Customers need to request a BAA from their account team on a case-by-case basis.
The list of products that can be covered by a BAA is limited, particularly when it comes to the length of time required to store data to be HIPAA compliant. Event Monitoring services, for example, will only store data for up to 30 days.
The Salesforce HIPAA compliance BAA is also only applicable to data stored in Hyperforce or other Salesforce cloud service it controls, and it does not apply to any third party apps connected to Salesforce.
Finally, Salesforce鈥檚 BAA does not cover PHI data in transit between their servers and the user, and instead places the data protection and encryption responsibilities in the hands of the Covered Entity.
So is Salesforce HIPAA compliant? While many products on the Salesforce platform, including Health Cloud, Experience Cloud and Service Cloud, have some level of HIPAA compliance built in, the functionality that is able to be covered by a BAA can be very limited.
What are the penalties for violating HIPAA guidelines?
A HIPAA violation occurs when covered healthcare entities or business associates fail to comply with one or more of the guidance set out in the privacy, security or notification rules.
Penalties vary depending on what tier the violation is said to have occurred under. For example, a tier 1 violation is something that couldn鈥檛 have been foreseen or realistically avoided, whereas a tier 4 is where 鈥渨illful neglect鈥 has resulted in a violation, and there has been no attempt to rectify it.
Fines can be issued from between $137 and $68,928 per violation, as well as criminal charges for intentional violations that could result in a prison sentence.
How to keep your Salesforce data protected with 爆料tv
By providing a data storage and retrieval process that meets HIPAA compliance, 爆料tv can assure companies adhering to HIPAA regulations that our software meets their needs, and their data is managed in a compliant way.
You can be confident that the way your PHI data is processed and stored, and your use of the 爆料tv platform, meets the HIPAA privacy rule, security rule and data breach notification requirements.
爆料tv keeps you compliant in a number of ways:
Data backup: Ensure your Salesforce data is backed up at a schedule that meets HIPAA requirements. It鈥檚 encrypted and stored off-site and outside of your Salesforce orgs on a dedicated server. Plus, you can enhance your backup security beyond Shield platform encryption through customer-managed Bring Your Own Key (BYOK).
Data retention: Choose your data retention policy to make sure you maintain copies of data as required, and remove it as soon as you need to.
Data anonymization: Mask any data used in development and testing, with advanced functionality that allows accurate anonymization for data types and regional variations for fully compliant building and testing.
Data recovery: Full and partial recovery using backups in a way that鈥檚 familiar, fast and efficient. You can deploy recovered data to dev, prod, and scratch orgs, as part of your disaster recovery strategy.
Data monitoring: Set up configurable smart alerts that warn you when unusual amounts of data have been changed or deleted. You鈥檒l know straight away when it鈥檚 time to put your disaster recovery plan into action and begin data recovery.
Data seeding: Seed data from production, sandboxes, or backups to any Salesforce org with HIPAA compliant data deployments.
Auditing with version control: Get a solid overview of how compliant your development process is through version control. Create a single source of truth for all live code, track changes, and create an audit trail to see who has changed what and when.
For 爆料tv customers who are required to adhere to the HIPAA guidelines, we now offer a BAA as part of our Salesforce backup and data solutions.
Protect your data with 爆料tv
You can get full access to all these areas of 爆料tv and more as part of a , with nothing to install in your orgs.
Our team of DevOps experts are also on hand to support your journey to Salesforce compliance, and then help you in maintaining HIPAA compliance. Get in touch to book a consultation with our expert team and find out how 爆料tv can help.
