Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

Is Salesforce Journey Builder HIPAA compliant?

Is Salesforce Journey Builder HIPAA compliant?

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).

We know the HIPAA industry is vast and that it is important to work well and communicate with patients while remaining HIPAA compliant.

SEE ALSO: HIPAA compliant email

This is especially true with the recent move toward remote working and the increase in cyberattacks against healthcare. Today, we will determine if Salesforce Journey Builder is HIPAA compliant or not.


About Salesforce Journey Builder


Salesforce Journey Builder is a feature of Salesforce’s Marketing Cloud that helps guide a customer’s journey across multiple channels.

RELATED: How to make Salesforce emails HIPAA compliant

This feature organizes and presents a customer’s lifecycle using event-driven triggers and CRM (customer relationship management). By creating complete customer stories, organizations can learn to cater and grow their partnerships.

SEE ALSO: What is customer experience management (CEM or CXM)?

Salesforce Journey Builder also integrates with Salesforce’s Sales Cloud and Service Cloud to make a customer’s experience even more seamless.


Salesforce Journey Builder and the business associate agreement


A major part of HIPAA compliance is ensuring a business associate will sign a business associate agreement (BAA). A business associate is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI.

In this instance, Salesforce Journey Builder is a business associate of a healthcare organization if it works with any data that includes electronic PHI (ePHI), like a name or an email address. Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA.

Salesforce offers a BAA that includes Salesforce Marketing Cloud. Organizations must be on Salesforce’s Enterprise-Level Slack Plan.


Salesforce Journey Builder and data protection


Once an organization signs a BAA with Salesforce, the company automatically implements core  safeguards. This includes both encryption at rest and in transit.

SEE ALSO: Marketing Cloud: data at rest encryption

Furthermore, Salesforce continuously monitors for security violations and enables audit logging to track activity changes. According to the company’s  website, “It is the customer’s responsibility to ensure the secure transmission of PHI data to and from the HIPAA covered services.” This is why organizations can take extra steps to secure PHI through several customizable access controls:


  • Password policies
  • Permissions around data visibility
  • Rules for accessing different types of information


Is Salesforce Journey Builder HIPAA compliant?


The BAA is a key component of HIPAA compliance and Salesforce will sign a BAA for Marketing Cloud.

Conclusion Salesforce Journey Builder is HIPAA compliant with a BAA, although organizations should ensure all its endpoints are secure.


Try Paubox Email Suite for FREE today.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.