The challenge with finding HIPAA-compliant CRM software
For most businesses in healthcare, HIPAA compliance is non-negotiable. However, a lot of businesses are surprised to learn that the largest CRM vendors are not HIPAA-compliant.
While the Salesforce platform is not HIPAA compliant, Salesforce does offer some security customizations and premium services add-ons that can help you achieve and maintain HIPAA compliance — for a price.
Your business can be HIPAA-compliant while using Salesforce. We cover how below.
A basic overview of major CRM vendors and HIPAA compliance
Understanding HIPAA + CRM Software : What you need to know first
What is HIPAA?
HIPAA (Health Insurance Portability and Accountability Act) is a set of standards that governs the collection, storage, and accessibility of PHI (protected health information) in the US.
Any company or business that handles or processes the PHI of US citizens must adhere to these standards. Check out the HIPAA Compliant Software Guide to learn more about HIPAA compliance requirements.
HIPAA + CRM Software : What you need to know first
Covered Entities and Business Associates
HIPAA categorizes the groups responsible for safeguarding PHI into two broad categories — Business Associates and Covered Entities
- Covered Entities- Covered Entities are businesses, organizations, and individuals that deal directly with patients and patient data. Some common examples include:
- Hospitals
- Clinics
- Private doctors
- Insurance providers
- Business Associates- Business Associates are businesses, organizations, and individuals that work with Covered Entities and whose work with those entities may involve access or exposure to sensitive data and PHI. Some common examples include:
- Software companies with access/exposure to PHI
- Data Processing companies with access/exposure to PHI
- Lawyers
- Accountants
HIPAA + CRM Software : What you need to know first
What are Business Associate Agreements?
HIPAA requires that all Covered Entities sign a Business Associates Agreement (BAA) with any business, organization, or individual who may come into contact with PHI as part of their services.
This agreement details the specific responsibilities and procedures for the handling of sensitive data by the parties and, as such, can differ based on the needs, capabilities, and requirements of the parties involved. That said, a BAA must include the following:
- What PHI the Business Associate will be able to access
- What safeguards — physical, technical, and administrative — will be in place to protect the PHI
- The procedures for the storage, transfer, and destruction of PHI
- The procedures to follow in the event of a data breach
- The procedures to follow when terminating the BAA
So then...
Is Salesforce HIPAA compliant?
Salesforce is a Business Associate under HIPAA, but is the Salesforce platform HIPAA compliant?
No. Out of the box, the Salesforce platform is not HIPAA compliant.
That said, your business can be HIPAA-compliant while using Salesforce. In the following few sections, we outline how you can achieve and maintain HIPAA compliance with Salesforce.
The two largest hurdles are typically:
1. Business Associate Agreement
Salesforce requires that you deal with a third-party BAA provider, at your own expense. At first glance this is not a big deal, but read on below to understand common issues faced by Salesforce customers in trying to implement it.
2. Premium Services Add-on
To achieve security standards required for HIPAA compliance, you must purchase Salesforce Shield — a premium services subscription — adding 20-30% additional cost on top of your subscription. Most CRM providers encrypt data in-transit but their database is not encrypted, meaning that a data breach can allow hackers to directly view information in the database. This is what is meant by “encryption-at-rest.” Salesforce only offers this through their pricey Shield Services or via a specific functionality-limited cloud.
Achieving and maintaining HIPAA compliance with Salesforce
Salesforce and the BAA (Business Associate Agreement) — Common Issues
Entering into a BAA with Salesforce can sometimes be a frustrating experience. Some common challenges include:
- Each service may require its own agreement — Salesforce offers a wide array of services, but they don’t all fit together seamlessly. This means that when trying to outline the terms of a BAA, you may be required to sign several different BAAs, each with its own specific rules and guidelines.
- Limited/restricted services — Salesforce does not offer a BAA for all of its services. Even those it does may have limits placed upon the use of those services or on the protections of the BAA when using those services.
- Lack of transparency — There is no publicly available document that details the general guidelines of Salesforce’s BAAs. A Salesforce account representative is required to gather even cursory information about a BAA.
Achieving and maintaining HIPAA compliance with Salesforce
Security customizations
To achieve and maintain HIPAA compliance with Salesforce, you will need to customize data security controls such as:
- Passwords — You will need to customize the rules regarding password length, complexity, authentication, and frequency of password changes to meet HIPAA guidelines.
- Role-based access — You will need to customize the rules around information access in your organization. You will need to set clear guidelines around who can access your salesforce data, from where, how often, and on what devices.
- Automatic logout parameters — You will need to customize your automatic logout parameters to comply with HIPAA guidelines.
Achieving and maintaining HIPAA compliance with Salesforce
Add-ons and premium subscription services
The Salesforce Shield Platform Encryption add-on is essential to achieving and maintaining HIPAA compliance. It provides:
- More secure data encryption — The out-of-the-box encryption of Salesforce data is limited in functionality and scope.
The Salesforce Shield Platform Encryption add-on features 256-bit AES (Advanced Encryption Standard) instead of the 128-bit AES that comes standard and allows you to encrypt more types of fields and data (documents, spreadsheets, databases).
- More comprehensive activity monitoring — The Salesforce Event Monitoring tool is included with the Shield Platform Encryption add-on. It allows you to track ePHI access (who, when), user activity, and app use.
Additionally, with Field Audit Trail (also included in the Shield Platform Encryption add-on), you can monitor more fields (3x more) and archive data for up to 10 years.
Achieving and maintaining HIPAA compliance with Salesforce
Third-party data storage/backup tools and in-transit encryption
In addition, you will need to look to third party solutions to address the following:
- Third-party data storage/backup tools — Salesforce’s native backup solution is not enough to achieve and maintain HIPAA compliance. You will need to source a data backup solution to help you capture and store your event monitoring logs to meet HIPAA requirements.
- In-transit encryption — Salesforce takes no responsibility for in-transit data encryption. It is on the Covered Entity to find a solution for this.
FreeAgent CRM can help you achieve and maintain HIPAA compliance without all the hassles and costs
FreeAgent is the only major HIPAA-compliant CRM platform.
With FreeAgent, you get hassle-free HIPAA. That means:
- No third party BAAs
- No extra expense or hidden costs for best-in-class security including data encryption in-transit and at-rest
Beyond security and data privacy, FreeAgent CRM well-suited for the unique needs and requirements in healthcare, life sciences and medtech industries, so if you’re torn between a major CRM provider or a vertical healthcare crm, FreeAgent might be the best of both worlds.
Learn more about FreeAgent CRM for medtech or we invite you to request a demo. Our CRM experts are standing by to provide advice.