Is HIPAA / PHI Compliant?

Jeremy Smith


Is HIPAA compliant? We get that question a lot.

It might seem black and white, but the issue is actually a bit more complicated than that. Here's why:

  • HIPAA is not just one law or regulationthere’s the original act itself (from 1996), as well as several relevant subsequent regulations.
  • There is no standard test or evaluation with which to assess a system, especially a “system” like, which isn’t really a complete, unchangable application so much as it is a highly customizable platform with a large ecosystem of apps.
  • The regulations cite “requirements” and “addressable concerns,” the latter of which are not mandatory. But if you’re not abiding by those, you'd better document a legitimate rationale for not doing so!
  • Portions of the regulations are rather ambiguous.
  • The regulations are one thing… but an organization may be beholden to business associate agreements (BAAs) that are more specific, have higher standards, shorter time frames for reporting breaches, etc.
  • “Compliance” means more than technical specifications and featuresyour use of the system, the systems it integrates with, and your general business practices may render a HIPAA “safe” solution a significant HIPAA compliance risk.

So, how do you figure this out?  We’ll get to our recommendations soon. First, here are a few more questions to consider. Maybe you've been asking them, too:

Q:  Will sign a BAA?
A:  Yes, they do all the time, and they have a standard agreement at the ready.

Q:  Will that BAA with be enough to cover my compliance needs (for covered entities) or the requirements of my most restrictive BAA with my clients / partners?
A:  That depends on your BAAs and your specific needs. Evaluate’s BAA and your other BAAs thoroughly.  Many of our clients are quite satisfied with’s standard BAA.

Q:  Can safely handle PHI (protected health information)?
A:  Yes, with some caveats.  Keep reading...

There are several ways to work with PHI in Salesforce.comdepending on your specific BAAs and interpretations of HIPAA/risk tolerance, you have the following options:

  • Store PHI in, and use “out of the box” features of to limit access to it and otherwise further secure it.  Many of our customers are satisfied with this approach, especially those that are moving away from far less secure/compliant applications or processes (emailing around Excel files, for example).
  • In addition, purchase’s new “Shield” componentsthese allow for two major enhancements relating to HIPAA: much-improved logging and far more comprehensive encryption of data at rest (an addressable concern).
  • In addition to all of that, take things further by implementing best practices to back up your audit logs “off system”. Note that HIPAA requires maintaining audit logs for 6 years as a minimum, and Shield’s event monitoring/logging feature does not retain data for that long.
  • Still concerned?  Keep your PHI off of entirely, but make the PHI you'd want there securely accessible via Salesforce’s “Connect” offering, which utilizes the OData standard. Some clients are more comfortable with this approach, which gives them lots of flexibility relating to logging of PHI access and encryption of data at rest.  It’s easy for us to wrap PHI data sources for OData/Connect use, which means that to your users, the PHI seems to be “in”  you can do most tasks (but not allevaluate constraints while defining your solution) in with this “remote” data just like it was stored in

Here are our recommendations regarding approaching HIPAA and

  • Assess your organization’s collective risk tolerance and interpretation of HIPAA, including any BAAs to which you're contractually bound.
  • Learn about the features that will help you protect your PHIwhat you get “standard,” what you get with “Shield,” and what you can do with “Connect.”  Note that we highly recommend Shield for clients who are storing PHI on!
  • Develop an appropriate solution that meets your needs and relevant legal and system constraints.

Watch our video presentation for an in-depth look at HIPAA compliance, and Shield.


Read more about our healthcare solutions:

Connect with us for a complimentary 1:1 call with our healthcare expert.


Jeremy Smith

As Summa's Director of Solution Architecture, Jeremy assesses client and project goals and constraints, designs effective technical and business solutions, estimates implementation costs and durations, and leads a team of solution architects who do likewise. He also consults as a healthcare industry SME, and is quite passionate about modern art and architecture.