Salesforce And The HIPAA Security
What is HIPAA?
In 1996, the Health Insurance Portability and Accountability Act or the HIPAA was endorsed by the U.S. Congress. The HIPAA Privacy Rule, also called the Standards for Privacy of Individually Identifiable Health Information, provided the first nationally recognizable regulations for the use/disclosure of an individual’s health information. Essentially, the Privacy Rule defines how covered entities use individually identifiable health information or the PHI (Personal Health Information). ‘Covered entities’ is a term often used in HIPAA-compliant guidelines.
This definition of a covered entity is specified by [45 CFR § 160.102] of the Privacy Rule. A covered entity can be a:
What is the purpose of HIPAA?
HIPAA, also known as Public Law 104-191, has two main purposes: to provide continuous health insurance coverage for workers who lose or change their job, and to reduce the administrative burdens and cost of healthcare by standardizing the electronic transmission of administrative and financial transactions. Other goals include combating abuse, fraud and waste in health insurance and healthcare delivery and improving access to long-term care services and health insurance.
The Security Standards for the Protection of Electronic Protected Health Information sets standards for patient data security The HIPAA Security Rule Standards and Implementation Specifications have four major sections, created to identify relevant security safeguards that help achieve compliance:
- Technical and
- Policies Procedures and Documentation Requirements
What is HIPAA Compliance?
One of the most commonly asked questions we get is “What is HIPAA compliance?”
The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is a series of regulatory standards that outline the lawful use and disclosure of protected health information (PHI). HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).
Who needs to be HIPAA compliant?
HIPAA regulation identifies two types of organizations that must be HIPAA compliant.
- Covered Entities: A covered entity is defined by HIPAA regulation as any organization that collects, creates, or transmits PHI electronically. Health care organizations that are considered covered entities include health care providers, health care clearinghouses, and health insurance providers.
- Business Associates: A business associate is defined by HIPAA regulation as any organization that encounters PHI in any way over the course of work that it has been contracted to perform on behalf of a covered entity. There are many, many examples of business associates because of the wide scope of service providers that may handle, transmit, or process PHI. Common examples of business associates affected by HIPAA rules include: billing companies, practice management firms, third-party consultants, EHR platforms, MSPs, IT providers, faxing companies, shredding companies, physical storage providers, cloud storage providers, email hosting services, attorneys, accountants, and many more.
Is Salesforce HIPAA Compliant?
HIPAA compliance is a complex matter and one must be very specific and careful when answering that question. Salesforce is not fully compliant with HIPAA regulations, but it can be configured to meet compliance mandates. Salesforce uses 6 distinct data security tiers including roles, profiles, permission sets, data types, custom layouts and field level access, to manage and control HIPAA mandates related to Administrative and Technical Safeguards. Strategic configuration and applied controls in focused areas will allow the organization to comply with HIPAA mandates.
HIPAA is the Health Insurance Portability and Accountability Act of 1996. The main documentation about the law is on the U.S. Department of Health and Human Services web site.
HIPAA deals with patient data within health care. Patient data must be protected at all times and there can be huge fines in the millions of dollars for breaches on the security of this data. Just one HIPAA violation could destroy a relationship with a trusted client. In dealing with patient data, you must be constantly aware of this law.