The Health Insurance Portability and Accountability Act (HIPAA) represents a top-of-mind concern to any healthcare organization moving to Salesforce. Luckily, the platform offers multiple tools and add-ons to support Salesforce HIPAA compliance on the platform. But you’ll need to customize these security features correctly to do so.
So it helps to have guidance from an implementation partner along the way, but bringing in another party leads to more HIPAA questions. Even as the partner assists you in securing Protected Health Information (PHI) in the cloud, you also must determine the best way to avoid a PHI breach during the implementation project itself.
Before choosing a Salesforce consulting firm, it’s important to ask the right questions to ensure they won’t present any risk of a data breach. Here are the top 3 HIPAA compliance questions to ask.
1. “Are You HIPAA Compliant Yourselves?”
While this question may seem obvious, many Salesforce implementation partners are not HIPAA compliant. This limitation doesn’t prevent these partners from working with “covered entities” (healthcare providers, payers, etc.) under HIPAA. But it does keep them from entering into a business associate agreement (BAA) with covered entities and thus from accessing or handling PHI, severely hampering project efforts.
2. “What Measures Will You Take During the Project to Safeguard PHI?”
Under HIPAA, one primary stipulation on working with third parties states that these parties must only have access to the PHI they need to complete their duties as a third party. So, before even hiring an implementation partner, it’s critical to ask them what measures they typically take to limit their access to your PHI during the project.
The right partner should have detailed knowledge about this topic. But here are some possible implementation practices you can bring to the table as well:
- Have the partner work entirely in one sandbox, and ensure that no PHI exists in that sandbox.
- If your project involves loading data into or out of your Salesforce org, consider having your partner run the load on your internal computers to keep PHI off their hard drives.
- You might even ask your partner to run their entire project from your machines, to safeguard every activity behind your firewall.
- Alternatively, in extreme examples, you can manage every PHI-related task internally.
The solution(s) you choose will ultimately depend on the amount of PHI involved in the project, the ease of isolating that PHI, and whether your implementation partner can enter into a BAA. If they can, your BAA should clearly outline your agreed-on procedures. If they can’t, your team must enact more extreme measures to keep your PHI hidden from your partner.
3. “How Should We Collaborate to Determine My Company’s Compliance Standard?”
Of course, one significant benefit consulting firms provide to healthcare organizations is advisement on Salesforce cloud security. HIPAA’s broad array of requirements and addressable concerns doesn’t lend itself to a one-size-fits-all solution, though. So no partner can definitively tell you how to support HIPAA compliance on Salesforce — it depends on your organization’s data needs and how your different employees need to process PHI.
The best partnerships require back-and-forth dialogue on the client’s security requirements and the partner’s knowledge of Salesforce best practices. And this conversation should start even before signing with a partner. Some crucial questions to ask up front include:
- When in the project will we start considering security? Should we exclusively dedicate one segment of the implementation to it? Or incorporate it as a discussion point within every part of the project?
- What information will you require from me when this discussion starts? How far in advance would you like to see this information?
- What readings on Salesforce security do you recommend, so my team can prepare for the discussion?
The road to HIPAA compliance is long and can take you in multiple directions. It pays to have the right partner by your side. Asking these questions before even starting a project will help you ensure that you choose correctly.
Wondering how to approach security during the project itself? Check out these 13 Salesforce security best practices. This checklist takes 1 minute to read but gives you the tools needed to secure all of your cloud-based data — PHI or otherwise.