<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=2038511469714819&amp;ev=PageView&amp;noscript=1">

Are Office 365 and Salesforce HIPAA Compliant?

23 Apr., 2018

Companies that process the heath information of customers and patients must adhere to HIPAA compliance. But are business-minded cloud apps such as Office 365 and Salesforce HIPAA compliant?

salesforce-hippa-compliantCloud computing, specifically Software-as-a-Service, or SaaS apps and tools, have made the consolidation of data a lot easier for businesses. SaaS services such as Microsoft Office 365 and Salesforce offer cost efficient, flexible, and scalable processes available to employees anywhere at any time.

But this amount of accessibility leaves cloud-based services open to attack by malicious outsiders. Consequently, organizations that use these services must comply with government and industry regulations that guarantee the protection of individually identifiable health information.

One set of regulations, the Health Insurance Portability and Accountability Act (HIPAA), which was enacted in 1996 and expanded with the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, requires companies to ensure the protection of Personal Health Information (PHI) at the risk of fines between $100 and $50,000 per violation.

The HIPAA requirements include the protection of PHI while at rest, while in transit, when accessed, when stored at rest in the cloud, and when downloaded to devices. There must also be an audit trail to track who accessed PHI and when in case of a data breach. These rules extend to business associates or any service providers with access to protected PHI.

Naturally, these rules also extend to the SaaS services that companies use. The customer relationship management app Salesforce processes the names, addresses, and all transaction information of customers so companies can gain insight into customer interactions. The service could also deal with personal health information, so it must comply with HIPAA. You can view the compliance certifications of Salesforce here, which attests that it is compliant with HIPAA.

To ensure compliance with HIPAA, system administrators must use Salesforce Shield, which provides an audit trail and event monitoring service that tells admins who accesses what data from what IP address. Encryption is also possible with Shield.

Similarly, Office 365 is HIPAA compliant based on Microsoft’s own Trust Center page. Microsoft provides a comprehensive tutorial that sheds some light on the specific configurations for Exchange Online that allow for cloud-based email filtering, Data Loss Prevention policies, data and message encryption, and overall safeguarding that can help organizations protect personally sensitive information. For audit logs, admins can turn on activity recording. Reports on access logs can be requested from Microsoft, too, in order to fulfill auditing requirements.

However, Salesforce Shield’s encryption only supports Salesforce, and Microsoft’s encryption only supports Microsoft services. A solution such as eperi Gateway offers a one-stop platform capable of encryption and key management from a single point of control for over 30 common cloud services, including Office 365 and Salesforce. It not only fulfills HIPAA’s compliance standards, but the General Data Protection Regulation (GDPR) as well, which requires the protection of the sensitive data of European Union citizens.

As such, there’s overlap between HIPAA and GDPR compliance in that they both concern personal health data. If you only use Salesforce and its own encryption tools to store health data from EU citizens then you have to ensure that the whole Salesforce platform meets both HIPAA and GDPR requirements. With eperi Gateway, you don’t have to worry if Salesforce meets any data privacy compliance requirements at all thanks to its robust encryption and encryption key management tools.

It’s important to note that eperi Gateway gives you sole access to the encryption keys. If you only rely on Office 365 or Salesforce, then those providers also have access to encryption keys. That means you’re never in complete control of compliance controls or data protection and then it’s your responsibility to regularly audit the cloud service provider to ensure adherence to data protection and privacy compliance requirements. With eperi Gateway, that responsibility becomes obsolete since the service provider never receives unencrypted data nor gains access to encryption keys to decrypt that data. Ultimately, the providers don’t have to store, process, or access PHI with eperi Gateway in use.

So, yes, Office 365 and Salesforce are HIPAA compliant. But for full control and protection of patient and employee personal health information, companies will still want the type of robust encryption solution that eperi can provide.

Recommended for You

Free eBook: Global Compliance - What the C-Suite Should Know about Compliance Regulations When Moving to Cloud Services


Share Button: LinkedIn Share Button: XING