Q: My company sells to the healthcare industry. Is it a HIPAA violation when my Customer Service Rep replies to a support ticket on Service Cloud? I mean, Salesforce is HIPAA compliant, right?
A: You very well may be in violation of HIPAA standards. Here’s why.
Yes, the Salesforce platform itself can be made HIPAA compliant. Salesforce will sign a Business Associates Agreement (BAA) and if you connect Shield as an addon HIPAA compliance tool, you’ll get monitoring, encryption, and auditing functionality of your Salesforce instance. But that’s only part of the compliance requirements story because it only covers the data while it’s residing within the Salesforce data storage ecosystem – the data at rest.
HIPAA also applies to data in motion. Simply stated; data containing protected health information traveling over a public network (like the Internet) must be encrypted in transit.
So let’s take a look at your scenario: Suppose you’re a customer service account representative using Service Cloud to view a new support ticket. A customer sends an inquiry explaining that his doctor wants him to get additional testing to rule out prostate cancer and he wants to know if his insurance covers the new tests. The customer’s contact information plus a medical condition equals Protected Health Information (PHI) and needs to comply with HIPAA guidelines.
While you’re viewing the information on Service Cloud, it’s covered by HIPAA (see the first paragraph above). But when you reply to that ticket the PHI is almost always copied as part of the ongoing dialogue thread and is sent from your company to the customer via email or other messaging format. It’s now data in motion traveling over the Internet, and your company (not Salesforce) is responsible to encrypt the message before it’s sent in order to be HIPAA compliant.
Luckily, there are solutions, like DataMotion SecureMail, that integrate easily with Salesforce and Salesforce Marketing Cloud, and have the ability to filter by policy rules and keywords and automatically encrypt messages containing PHI. Our solution also adds event monitoring, logging, and tracking for better visibility and governance (proof you need in the event of a HIPAA audit by the feds)!
Summary
Yes, the Salesforce Platform can be made HIPAA compliant. But when you reply to a Service Cloud ticket, that’s data in motion and it’s not Salesforce’s responsibility to encrypt that data. Your company needs to ensure those messages are encrypted between Salesforce , or any customer relationship management platform, and your customers. If not, you’re subject to fines, penalties, data breaches, and loss of reputation.