Skip To Content
Back to Blog

Salesforce and HIPAA Compliance: What Providers Need to Know

By Brian McCurdy 05.13.21
Reading time: 3 minutes

The 1996 Health Insurance Portability and Accountability Act (HIPAA) protects patients and patient data in the United States, which includes all electronic data managed by healthcare providers. Managing this data isn’t a nice-to-have, but a requirement — one many providers are very familiar with.

How does that translate to new tools, especially CRM, which counts on using patient data in order to provide them a better, more personalized experience?

Silverline is not a legal firm, and as such we cannot offer legal advice around HIPAA compliance. However, we are experts in healthcare technology and Salesforce. We’re here to help you use Salesforce in a way that follows common best practices for patient health data (PHI) that our clients appropriate for their compliance. Here’s what you need to know:

An overview of Salesforce and HIPAA compliance

You can rest easy knowing that Salesforce already has specific safeguards in place. Using Salesforce, healthcare providers can adhere to their compliance requirements and protect personally identifiable information (PII).

Source: Salesforce and the HIPAA Security Rule: SECURING ePHI IN THE CLOUD

Any database that uses patient data must include the following safeguards:

  • Administrative: Assigned security responsibility, workforce security, information access management, training, and ongoing evaluation
  • Physical: Facility access, workstation use and security, and device controls
  • Technical: Authentication, access and audit controls, and transmission security
  • Organizational: Intra-departmental data sharing
  • Documentation: Policies and procedures

Salesforce checks all of those boxes. 

How to set up your Salesforce effectively

Salesforce has all the capabilities you need to make sure you’re handling patient data appropriately. First, you need to understand the data you already have and are collecting. Providers have access to mountains of data: lab results, testing schedules, past appointments, upcoming appointments, specialist visits, insurance…the list goes on.

You need to understand:

  • What data do you collect, and which pieces of it are classified as PII? It may go beyond obvious pieces of information like name, account number, or email address.
  • Who can access which pieces of that data, and when?

At Silverline, we’ve helped healthcare companies implement Salesforce Health Cloud. We’ve learned that the most important step before investing in any technology is understanding the answers to these questions. 

Once you understand the data landscape you’re working with, then you can start to put security processes into place. But to do that right, you’ll need to make sure certain features from Salesforce Health Cloud are set up. 

That falls into two categories:

  • Booking, appointments, and referral management: What pieces of information can your patient access personnel see? Do they have access to the full EMR and appointment history, or is that only appropriate for a nurse or doctor to have access to? Understanding which pieces matter (such as insurance, for billing purposes) and which pieces aren’t as important (like lab results) changes how the system works.
  • Patient engagement and customer service: What types of communication do you want to send, and why? As you look toward building a patient-centric organization, it’s important to make sure you’re tailoring every experience, including email, text, and phone communication. But does an individual marketer need to know the full medical history for a patient, or can you segment automated follow-up campaigns without it?

No matter which pieces of information you need, making sure it’s secure from unauthorized eyes and ears is critical. It can be as simple as a checkbox for certain past symptoms or hiding/showing certain information in the record based on user permissions. And it can all be done within your Salesforce org.

Extra protection so you never have to worry

Salesforce also offers extra protection for healthcare organizations with Salesforce SHIELD. Identify suspicious activity, monitor data leakage risks, encrypt data, and more so you never have to worry:

  • Field Audit Trail: Create a system of record. See up to ten years of patient data for up to sixty fields per object.
  • Event Monitoring: Get access control. Understand what data users are accessing, from what IP address, and what actions are being taken in regards to that data.
  • Shield Platform Encryption: Protect patient data. Render sensitive data unreadable by unauthorized persons, but maintain business productivity.

In order to help our clients with their Salesforce Security journey, Silverline offers workshops that bring your team together with our industry experts and security architects. These workshops help clients understand their Salesforce options and align them to their organization’s existing security posture, analyze potential risks in their Salesforce environment, and create a roadmap for the work ahead.

Silverline helps you manage Salesforce so you don’t have to

Every provider is working with a different set of tools and technology. Silverline can help make sure you’re set up for HIPAA compliance, secure against data breaches, all while ensuring more productivity and efficiency for your team. Learn more about how Silverline can help you get the most out of Salesforce Health Cloud

Ready to see real results? We can help.

Get in Touch

We don't support Internet Explorer

Please use Chrome, Safari, Firefox, or Edge to view this site.