HealthcareUnited States

HIPAA Compliance for Salesforce

Health Insurance Portability and Accountability Act

HIPAA requires covered entities and business associates to implement administrative, physical, and technical safeguards for Protected Health Information (PHI). In Salesforce, this means PHI in sandbox environments, production orgs, and all copies must be actively controlled.not just encrypted at rest.

Schedule a DemoAll Regulations →
$1.9M

Average HIPAA penalty per violation category (HHS)

60 Days

Maximum breach notification deadline

6 Years

Minimum record retention for HIPAA documentation

What It Requires in Salesforce

Specific obligations and how CC addresses each

PHI Protection in Sandbox Environments

45 CFR §164.312(a)

Sandbox copies of your Salesforce production org contain full PHI.patient names, dates of service, insurance IDs, and more. HIPAA's technical safeguard requirements apply to these non-production environments. Every developer and contractor with sandbox access can query this data directly. DataMasker automatically masks PHI during every sandbox refresh, replacing real values with realistic substitutes that preserve data utility for testing.

Covered by:Sandbox DataMaskerPersonal Data Discovery

Access Controls & Minimum Necessary Standard

45 CFR §164.514(d)

HIPAA's minimum necessary standard requires limiting PHI access to only what's required for a specific role or task. In Salesforce, this means controlling which users can see which fields.not just at the record level. Personal Data Discovery identifies every field across your org that contains PHI, enabling precise access control mapping and supporting your HIPAA risk analysis documentation.

Covered by:Personal Data Discovery

Right of Access & Amendment

45 CFR §164.524, §164.526

Patients have the right to access their PHI and request amendments within 30 days. Privacy Rights Automation creates a branded self-service portal on Salesforce that handles data subject access requests, exports patient records in structured formats (PDF, CSV, JSON), and processes amendment requests.with a complete audit trail for HIPAA documentation.

Covered by:Privacy Rights Automation

Data Retention & Disposal

45 CFR §164.530(j)

HIPAA requires a minimum 6-year retention for most PHI documentation, with secure disposal when records exceed retention limits. Data Retention automates field-level and record-level retention policies in Salesforce.enforcing retention windows without manual cleanup, and generating audit-ready logs of what was retained and what was disposed.

Covered by:Data Retention

Key Takeaways

HIPAA applies to all sandbox copies.not just production. Full-copy sandboxes contain real PHI and are within HIPAA scope from day one.

45 CFR §164.312(a) Technical Safeguards require access controls and encryption. Sandbox PHI exposure is a direct violation unless masked before access.

Minimum Necessary Standard (45 CFR §164.514(d)).limit PHI access by role. Personal Data Discovery identifies PHI fields, enabling precise access control mapping.

Patient Right of Access (45 CFR §164.524).within 30 days, patients can request PHI in structured format. Privacy Rights Automation automates this workflow.

6-year PHI retention minimum (45 CFR §164.530(j)).Data Retention enforces retention windows and automates disposal after periods expire with audit evidence.

100% Salesforce-native architecture.no PHI ever leaves your org. All processing happens in Apex. This simplifies BAA requirements and eliminates third-party data exposure risks.

Who This Applies To

Industries most affected

Healthcare Providers

Hospitals, clinics, and physician practices using Salesforce Health Cloud store patient records, appointment histories, and care coordination data.

Health Plans & Insurers

Insurance companies using Salesforce for member management, claims, and enrollment hold PHI across complex object hierarchies.

Healthcare Technology & SaaS

Health tech companies and ISVs building on Salesforce are business associates under HIPAA with full compliance obligations.

Life Sciences & Pharma

Clinical trial data, patient registries, and adverse event reporting in Salesforce may contain PHI requiring HIPAA controls.

Common Questions

HIPAA Compliance for Salesforce.FAQ

Is patient data in a Salesforce sandbox considered PHI under HIPAA?

Yes. HIPAA defines PHI as any patient health information that can be linked to an individual. Sandbox copies of production Salesforce orgs contain real PHI.patient names, dates of service, insurance IDs, diagnoses, treatment records. HIPAA's Technical Safeguards (45 CFR §164.312) apply to these non-production environments. A breach in a sandbox is a notifiable breach. DataMasker eliminates this risk by masking PHI on every refresh, before developers or contractors access the sandbox.

What does 'minimum necessary' mean under HIPAA, and how does it apply to Salesforce?

45 CFR §164.514(d) requires limiting PHI access to only what's necessary for a specific role or business purpose. In Salesforce, this means field-level security and profile permissions must restrict PHI based on job function. For example: billing staff should not access treatment records. Personal Data Discovery identifies every field containing PHI across your org, enabling precise access control mapping and supporting your HIPAA risk analysis documentation.

Can we use Salesforce standard features like field-level security to satisfy HIPAA?

Field-level security is one component of HIPAA compliance. However, FLS alone doesn't satisfy §164.312 Technical Safeguards. HIPAA also requires: encryption at rest (Shield), encryption in transit (Salesforce provides), audit logging of PHI access (Cloud Compliance + Salesforce audit trail), data retention and disposal policies, and sandbox security. Use field-level security as a foundation and add Cloud Compliance for sandbox masking and retention automation.

How do we handle PHI deletion requests from patients?

Patients don't have a 'right to erasure' under HIPAA like GDPR. However, patients have the right to request amendment of inaccurate PHI (45 CFR §164.526). Some states (like California) have added deletion rights. Privacy Rights Automation handles amendment requests with audit trails. For deletion, you must document the business reason and HIPAA authority. HIPAA generally requires retention of records for treatment, billing, and legal purposes.

Does HIPAA require encryption of patient data in Salesforce at rest and in transit?

HIPAA requires encryption when appropriate for the risk level (45 CFR §164.312(a)(2)(i) and (ii)). Salesforce encrypts data in transit (TLS) by default. For data at rest, Salesforce offers encryption, but standard editions don't provide field-level encryption out of the box. Consider Salesforce Shield (encryption at rest) or third-party solutions. Encryption is important but is only one of several required safeguards; access controls and retention policies are equally critical.

How do patients access their own PHI in Salesforce under HIPAA?

45 CFR §164.524 gives patients the right to access their PHI within 30 days, in a readable format (PDF, CSV, etc.). Privacy Rights Automation creates a branded self-service portal where patients can request access. The system exports PHI in structured formats (FHIR if using Health Cloud), verifies patient identity, logs the request, and generates audit evidence for HIPAA documentation.

Ready to Start

See how CC addresses Healthcare compliance in Salesforce

30-minute technical demo. We walk through your specific regulation, map it to your Salesforce data model, and show you exactly how Cloud Compliance addresses each requirement.

Schedule a DemoAll Regulations