Paubox blog: HIPAA compliant email made easy

Is SalesLoft HIPAA compliant? (Update 2024)

Written by Kapua Iao | April 03, 2020

SalesLoft is an artificial intelligence (AI) powered revenue workflow platform that helps increase revenues and customer interaction. Many healthcare organizations use these solutions to connect and communicate with patients and possible patients. To do so, however, those within the healthcare industry need to work with companies that are HIPAA compliant.

In the healthcare industry, sensitive protected health information (PHI) must be safeguarded under HIPAA. A major part of this compliance is working with vendors who will sign a business associate agreement (BAA) and ensure the security of PHI. SalesLoft still does not mention a BAA on its website and may not be HIPAA compliant.

 

What is SalesLoft?

SalesLoft is a cloud-based sales engagement platform; its first product focused solely on sales development. Since then, the company has expanded to offer functionality for an entire sales department. Organizations can employ SalesLoft to increase revenue, drive predictability, and reduce costs.

By using SalesLoft, organizations can automate the sending and receiving of data from the customer relationship management (CRM) company of their choice. A CRM collects patient data to look for ways to better the patient journey. Automation, then, allows for more personalized and more timely communication with patients without manual intervention.

LEARN ABOUTArtificial Intelligence in healthcare

 

Is SalesLoft a business associate?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates (i.e., vendors) of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.

A BAA is a written contract between a covered entity and a business associate. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:

  • Permitted uses and disclosures of PHI
  • Safeguards for protecting PHI
  • Reporting and mitigation of security incidents
  • Compliance with HIPAA regulations
  • Dispute resolution and termination clauses

The agreement is required by law for HIPAA compliance and is considered the primary item to consider when it comes to SalesLoft and its ability to be HIPAA compliant. SalesLoft is a business associate of a healthcare organization if it is storing, processing, or transmitting PHI on the cloud.

RELATEDHow to know if you're a business associate

 

SalesLoft and the BAA

Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. In 2020, we checked the SalesLoft website and were unable to find information on HIPAA or a possible BAA. A recent SalesLoft compliance web page, however, states that the company is compliant with HIPAA.

Accordingly, SalesLoft also listed its compliance with the following other entities: the Payment Card Industry Security (PCI), Fair Debt Collection Practices Act (FDCPA), Fair Credit Report Act (FCRA), and SSAE 16. The web page, however, does not include any information on how it reaches compliance. Moreover, there is no other mention of HIPAA on the SalesLoft website and no mention of a BAA.

 

SalesLoft, the cloud, and data security

While HIPAA doesn't explicitly mention cloud services, it does impose rules for protecting sensitive patient data. In 2023, we created a HIPAA compliant checklist for cloud services to address its increasing use within healthcare. The cloud offers flexibility and convenience but also increases an organization's attack surface. Many cloud tools are available, but not all meet HIPAA requirements of encryption, data backup, and access controls.

According to SalesLoft, it uses strong security protocols. Data is hosted at Amazon and Google data centers using Amazon Web Services and Google Cloud Platform technology. Furthermore, the company utilizes access controls, backups, tests, and other protections to keep stored data safe.

Nowhere does SalesLoft state that its current cybersecurity features are HIPAA compliant.

 

Is SalesLoft HIPAA compliant?

The BAA is a necessary component of HIPAA compliance and SalesLoft does not mention a BAA on its website even though the company says that it is HIPAA compliant. Conclusion: SalesLoft may not be HIPAA compliant.

 

Understanding HIPAA compliance

Healthcare providers know that clear and efficient communication with patients is necessary to run a successful practice. When evaluating a platform’s HIPAA compliance, especially on the cloud, consider the following security needs beyond a BAA:

  • Technical safeguards: Mitigate risks associated with cyber threats, hacking, malware, and other security incidents with strong technical safeguards. Such tools as perimeter defenses (e.g., firewalls) and HIPAA compliant email are equally vital for extra protection.
  • Employee training: Ensure all staff members have up-to-date knowledge of HIPAA regulations and best practices. Regular training sessions can help prevent unintentional, employee-related breaches.
  • Regular audits: Perform periodic assessments of all systems and processes to ensure that they remain compliant. Adapt to any changes in regulations or technology.
  • Data access controls: Implement stringent controls, such as multifactor authentication, on who can access PHI and under what circumstances.