Skip to main content

Is Marketing Cloud HIPAA Compliant?

Salesforce Marketing Cloud Fact - Did you know?

info

ExactTarget (Marketing Cloud) is covered by the same BAA as Salesforce Health Cloud

Source: Marketing Cloud BAA (Oct 2022)

Short Answer:
Considering the above Marketing Cloud official doc from Salesforce, it is, in essence, HIPAA compliant, depends on how one implements it, of course.

This is not to say there aren't BUTS (A few Marketing Cloud modules that can't be used in a HIPAA compliant environment), so before jumping to conclusions, let's read-on!

Important!

Those familiar with HIPAA know that HIPAA laws, standards, regulations, or security policies vary not only between states, but can also differ between jurisdictions, or even between two companies that reside in the same building.
On a case by case basis, it would require validation of your HIPAA officer.

Let's take a further look at some relevant facts:

  • The infrastructure to store records on Exacttarget Servers can be HIPAA compliant. Data is stored in Data Extensions, which are data tabels with query capabilities close to SQL Server 2016);
  • The entire Marketing cloud Account is Password protected with Multi-Factor-Authentication (MFA), uses Secure and Encrypted connections only, including MC-Connect (CRM Connector to Sales or Service Cloud), https, and there are both roles and permission-based users capabilities; Those provide similar level of protection and fine tuning capabilities as Salesforce CRM;

  • What would not be HIPAA compliant, or problematic, is the Sending of ePHI in emails/communications. The problem could be related to eventual storage of the sent emails or other reasons;

  • Marketing Cloud has a Tokenized Sending capability - which should be the answer to sending ePHI- in a HIPAA compliant manner - from Marketing Cloud.

    The above official implementation docs suggest that the purpose of Tokenized Sending is that nothing is stored on the MC side.

Here is the long answer:

HIPAA regulations do not go that deep - (list of authorized database providers. (e.g. Oracle vs. Microsoft)).

There are a few pitfalls to avoid during implementation. One of the HIPAA standard principals is to keep minimal access - and Marketing Cloud can definitely do that.

From a technical standpoint, I see no difference in storing the data on Exacttarget Data Extensions (SQL 2016 DB) vs. Salesforce CRM (Oracle DB).

Here is HIPAA & ePHI:

https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

Under the General Rules Section on the link above you'll find:

General Rules

  • The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.

    Specifically, covered entities must:

    1. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
    2. Identify and protect against reasonably anticipated threats to the security or integrity of the information;
    3. Protect against reasonably anticipated, impermissible uses or disclosures; and
    4. Ensure compliance by their workforce.^4^

... What is appropriate for a particular covered entity will depend on the nature of the covered entity's business, as well as the covered entity's size and resources.

So, my interpretation is that there is no difference whether the same person (me) logs into Health Cloud vs. Marketing Cloud, using the same HC user - which allows to view the exact same ePHI data.

That said, my understanding from the above is that each company's officers decide what's "reasonable and appropriate", and what's the "minimum access" required to operate.\ So, to answer yesterday's question, in my view, if there was a HIPAA breach - it occurred when I got the Integration user's credentials and logged-in to HC for the first time, not when I connected Marketing Cloud.\ For example, First name is PHI - but each company would have to decide whether it's "reasonable and appropriate" to send it in a non-tokenized Email.\ Same goes for data brought to Marketing Cloud required for segmentation and even Email Addresses.

One can always be more restrictive with regard to practices, while deciding what's "reasonable and appropriate".\ It has an effect on productivity and features we can or cannot use - thus - it has a cost.

I can point out the following Security products, each serves a purpose:

  • Transparent Data Encryption (TDE) (Encrypt the entire DB)
  • Field Level Encryption on both Health Cloud and Marketing Cloud (Encrypt fields)
  • Salesforce Shield
  • Marketing Cloud Shield
  • Advanced Audit Trail in Marketing Cloud

https://help.salesforce.com/s/articleView?id=sf.mc_overview_salesforce_shield_field_level_encryption_compatibility.htm&type=5

https://ampscript.com/encryption-in-marketing-cloud/

What does Salesforce's Competition say?

https://www.paubox.com/blog/salesforce-marketing-cloud-hipaa-compliant/

Which is why it's worth challenging my Tokenized-Sending feature understanding.\ My understanding is based on the latest official documentation:

(Tokenized Sending Implementation Guide)

https://resources.docs.salesforce.com/238/latest/en-us/sfdc/pdf/mc_overview_tokenized_sending_implementation_guide.pdf

Next steps

  • Dedicated MC Connect user with limits to Marketing scope: Objects/Fields

  • Validate that using Tokenized Sending would satisfy your company's HIPAA compliance requirements.

  • Internally vet on approach Tokenized vs. Non-Tokenized

  • Consider FLE / Shield / Advanced Audit Trail as complementary products to either approach.

Additional Resources

Whitepaper (How Salesforce protects for HIPAA, and the covered services):

https://compliance.salesforce.com/en/hipaa

tip

Looking for a Salesforce Partner for HIPAA ? Email us at Lime now: hipaa@limeweb.ca