Paubox blog: HIPAA compliant email made easy

How to make Salesforce CRM HIPAA compliant with Paubox

Written by Farah Amod | March 23, 2024

In the healthcare sector, protecting sensitive patient information is a legal obligation. Healthcare organizations often rely on customer relationship management (CRM) platforms like Salesforce to manage patient data and streamline operations. However, using CRM systems in a HIPAA compliant manner requires careful configuration and adherence to security standards. This is where Paubox, a leading provider of HIPAA compliant email solutions, comes into play. 

 

Introduction to Salesforce and HIPAA

Salesforce is a cloud-based CRM platform healthcare organizations utilize to manage customer interactions, from lead generation to patient care. Its product suite includes specialized solutions such as Salesforce Health Cloud for patient engagement, clinical decision support, quality improvement, financial management, and human resources. Additionally, Salesforce offers general-purpose tools like Sales Cloud, Service Cloud, and Marketing Cloud, which can benefit healthcare settings.

 

Is Salesforce HIPAA compliant?

Salesforce offers several features that contribute to its suitability for HIPAA compliance. Encryption, access control, and auditing capabilities are integrated into the platform. Salesforce is willing to sign a BAA and has implemented stringent security measures. However, it is important to note that not all Salesforce products are automatically HIPAA compliant. Customers must inquire if the BAA covers specific features or products and use them accordingly.

Go deeper: 

 

The role of business associate agreements

Business associate agreements (BAAs) are documents that outline the responsibilities of parties handling PHI. Salesforce, as a business associate, signs a BAA with healthcare providers to ensure the appropriate safeguarding of PHI. However, not all Salesforce services are covered under the BAA, and customers must use those services in a manner consistent with their HIPAA obligations. The BAA clarifies Salesforce's role and commitment to maintaining the privacy and security of PHI while acknowledging the shared responsibility for HIPAA compliance.

 

Salesforce and HIPAA compliance

Salesforce is dedicated to providing a secure environment for its customers, especially those in the healthcare sector. The platform implements physical, network, and application security measures to protect infrastructure, data in transit, and access control. Customers can also configure additional security features provided by Salesforce, such as user authentication, access controls, data encryption, audit trails, and data backup and recovery. Salesforce holds various compliance certifications and attestations, further validating its commitment to security and HIPAA compliance.

 

How to make Salesforce HIPAA compliant

Healthcare organizations can leverage Paubox's secure email solutions to achieve HIPAA compliance with Salesforce CRM. Paubox integrates with Salesforce to encrypt all emails containing PHI, providing an additional layer of security. Configuring Salesforce to route emails via Paubox requires organization-level and user-level settings. By creating an email relay and updating user settings, healthcare organizations can ensure that all HIPAA-related emails are encrypted in transit.

 

Here's how you can make Salesforce CRM HIPAA compliant:

  • Organization-level configuration: With administrator credentials, configure Salesforce to allow routing via Paubox. This is done by creating an email relay to Paubox. Here's how to create the email relay
  • User level configuration: Each user should update their Salesforce settings. Toggle the radio button to send via Gmail or Outlook 365 rather than via Salesforce. Ensure your email address is listed as "acceptable" under the "My Email to Salesforce" section. Here's how to set up user-level routing.
  • Test the setup: Send a test message from Salesforce to an external email address. If the setup is successful, the Paubox footer will appear at the bottom of the HIPAA email for confirmation.

Read more: Can Salesforce CRM be HIPAA compliant? 

 

The benefits of using Paubox with Salesforce

Integrating Paubox with Salesforce brings several advantages to healthcare organizations aiming for HIPAA compliance. Paubox's email encryption solution provides end-to-end encryption for sensitive information, including PHI. By using Paubox, organizations can protect patient data during email transmission, ensuring compliance with HIPAA regulations. Paubox also offers features like data loss prevention, secure web forms, and email archiving, further enhancing the security and compliance of Salesforce CRM.

 

Salesforce and Paubox in healthcare

One example of Salesforce and Paubox being used in healthcare is XYZ Hospital. XYZ Hospital implemented Salesforce CRM to manage patient interactions, appointments, and communication. By integrating Paubox's email encryption solution, XYZ Hospital ensures that all patient-related emails, including appointment reminders and health reports, are encrypted and HIPAA compliant. This added layer of security strengthens patient trust and safeguards sensitive information.

See also: HIPAA Compliant Email: The Definitive Guide

 

FAQs

Can all Salesforce services be used to store, process, or transmit PHI?

No, only the services specifically covered under Salesforce's BAA can be used for PHI-related activities.

 

What is the role of a customer in maintaining HIPAA compliance on Salesforce?

Customers must configure Salesforce services correctly, manage user access to PHI, and use the services in a manner consistent with their HIPAA obligations.

 

Does using Salesforce Shield make an organization automatically HIPAA compliant?

No, while Salesforce Shield provides additional security features, organizations must configure it correctly and use it in conjunction with other security measures to meet HIPAA obligations.