Business Associate Addendum Restrictions

Last updated: March 15, 2022
 
This article provides guidance about the Salesforce HIPAA Business Associate Addendum (“BAA”)1 that Salesforce offers Customers for the HIPAA Covered Services (as defined below). For Customer’s use of a HIPAA Covered Service to be covered by the BAA: (1) Customer and Salesforce must sign a BAA that includes the HIPAA Covered Service; and (2) Customer must comply with the terms of the BAA and this article, to the extent applicable. In the event of a conflict between the BAA and this article2, the terms of the BAA govern.

Use of PHI with HIPAA Covered Services

When submitting PHI to, or using PHI with, any of the HIPAA Covered Services, Customer must ensure that the submission of PHI to, or use of PHI with, those HIPAA Covered Services is consistent with Salesforce’s Acceptable Use and External Facing Services Policy, at https://www.salesforce.com/company/legal/agreements/.

Encryption

It is Customer’s responsibility to ensure the secure transmission of PHI data to and from the HIPAA Covered Services.

Customer must encrypt all PHI: (1) transmitted using the HIPAA Covered Services; and (2) to the extent within Customer’s control, stored in the HIPAA Covered Services. That encryption must be consistent with the Secretary of HHS’s Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals, available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html, as it may be updated from time to time, and as may be made available on any successor or related site designated by HHS.

Service-Specific Restrictions

B2C Commerce Services

The B2C Commerce Covered Services extend Salesforce-maintained cryptography libraries that enable Customer to encrypt, sign, and generate cryptographically strong tokens and secure random identifiers. Customer must implement cryptography whenever Customer stores, processes, or transmits PHI.

Notwithstanding the foregoing, Commerce Cloud Einstein (including services formerly branded by Demandware as Predictive Email) is not covered by the BAA.

Datorama Services

Customer must encrypt PHI whenever Customer stores, processes, or transmits PHI. Customer must not use R_Script functions within calculations with respect to data containing PHI. When creating a custom visualization of the data canvas and/or writing custom code, Customer must ensure that all external resources are HTTPS-based.

Unsecured connections such as HTTP must not be used. When using email to transmit PHI to Datorama, the email provider must support and use encryption.

PHI must not be transmitted to Datorama with FTP or with the “control+shift” connector. Connectors downloaded from the marketplace from any vendor other than Datorama must not be used to transmit PHI. If Customer writes its own custom connector, the connector must only transmit PHI through secure HTTPS calls.

When using the python retrieval method, Customer must not insert any python code which contains “http” or other unsecured calls. When PHI is connected or retrieved live through direct connect to a database using a connection string, SSL must be stated.

When PHI is transmitted from the Datorama Services, secure HTTPS connections must be used. PHI must not be transmitted from the Datorama Services with FTP. When using email to transmit PHI from the Datorama Services, the email destination provider must support encryption.

Digital Process Automation

To the extent Customer uses PHI obtained from a third-party or external data source in conjunction with Digital Process Automation, Customer is responsible for ensuring its acquisition and use thereof meets HIPAA requirements.

Einstein Services

The Einstein Services are not intended: (1) to be used as a substitute for professional medical or healthcare advice, diagnosis, or treatment; (2) to be used as a medical device, software, or software function for the direct diagnosis of, or in the direct mitigation, treatment, or prevention of, a disease or other condition; or (3) to otherwise infer, predict or interpret an individual's medical or health diagnosis, condition, status, program eligibility, or outcome.

With respect to Einstein Bots, Customer may not: (a) submit PHI to, or use PHI in, any utterance records; or (b) enable any Answer Automation or Input Recommender features or functionality of Einstein Bots that could result in the submission or use of PHI therein.

Government Cloud Plus infrastructure environment

If Customer elects to configure a network connection that terminates outside of the Salesforce Government Cloud Plus environment, Salesforce assumes no responsibility to protect the Customer-configured connection. If Customer configures PHI to be transmitted over a Customer initiated connection, the Customer is responsible for ensuring the connection uses TLS encryption.

Heroku Services

The following restrictions apply to the relevant Heroku Services:

  • Shield Private Spaces: PHI must only be handled inside Shield Private Spaces. Standard Private Spaces and the Common Runtime are not covered by the BAA.
  • Shield Private Dynos: PHI must only be transmitted to and from, and processed by, Shield Private Dynos running inside a Shield Private Space. No other dyno types are covered under the BAA.
  • Shield Private Postgres: PHI must only be transmitted to and from, or stored in, Shield Private Postgres Databases running inside a Shield Private Space. No other Heroku Postgres plans are covered under the BAA.
  • Shield Connect: PHI must only be transmitted and processed by Shield Private Postgres running inside a Shield Private Space connected to a Salesforce organization with a valid and signed BAA.
  • Apache Kafka on Heroku Shield: PHI must only be transmitted to and from, or stored in, Apache Kafka on Heroku Shield data services running inside a Shield Private Space. No other Apache Kafka on Heroku plans are covered under the BAA.
  • Heroku Shield Redis: PHI must only be transmitted to and from, or stored in, Heroku Shield Redis data services running inside a Shield Private Space. No other Heroku Redis plans are covered under the BAA.

In a Private Space, Heroku applications are able to communicate with each other over the local dyno network. If Customer transmits PHI over the local dyno network in a Private Space, Customer must encrypt the PHI in transit.

PHI may be stored, processed, and transmitted within Apache Kafka running in a Shield Private Space with two exclusions: Customer may not use PHI as or in any: (1) Topic Name, or (2) Access Control List (ACL).

To the extent Customer includes PHI in its log data, Customer must explicitly enable the Private Space Logging or use equivalent encryption functionality for all log data. Logging in a Shield Private Space can be configured in two ways: Private Space Logging or standard app-level logging. If Customer has not enabled Private Space Logging, Customer must use Shield Private Space standard app-level logging.

  • Private Space Logging. If Private Space Logging is enabled on a Shield Private Space, then Customer may transmit PHI in the log stream. It is Customer’s responsibility to ensure that such transmissions and subsequent handling of PHI by the receiving log capture service meet HIPAA requirements.
  • Standard app-level logging. If a Shield Private Space uses standard app-level logging, then Customer must not transmit PHI in the log stream. It is Customer’s responsibility to ensure that PHI does not enter the log stream by ensuring that:
    • PHI is not inadvertently logged by a Postgres database. Customer may turn off logging for Customer’s Postgres database by using the --block-logs option when creating the database.
    • PHI is not included in the URL or query string submitted to web processes and logged by the Heroku router.
    • PHI is not printed to stdout by the application process.
  • Customer can check if Private Space Logging is enabled for a space with the CLI command:
    • $ heroku drains:get --space acme-space.
    • https://drain.example.com (d.1234abcd-edf8-4321-1234-bf34c9cbda77).

Intelligent Form Reader

Intelligent Form Reader is not intended: (1) to be used as a substitute for professional medical or healthcare advice, diagnosis, or treatment; (2) to be used as a medical device, software, or software function for the direct diagnosis of, or in the direct mitigation, treatment, or prevention of, a disease or other condition; or (3) to otherwise infer, predict or interpret an individual's medical or health diagnosis, condition, status, or outcome.

Interaction Studio

Customer is responsible for ensuring that its use of Interaction Studio in connection with any marketing activities that involve PHI meets HIPAA requirements. To the extent that Customer uses PHI obtained from a third-party or external data source in conjunction with Interaction Studio, Customer is responsible for ensuring its acquisition and use thereof meets HIPAA requirements.

Mulesoft

The following restrictions apply to the relevant Mulesoft service:

  • Anypoint Runtime Manager: PHI must only be handled inside Customer's dedicated Virtual Private Cloud. PHI should further be restricted by using CloudHub’s Dedicated Load Balancing Service where applicable. CloudHub’s non-dedicated runtime environment is not covered by the BAA.
  • Anypoint Monitoring: PHI must only be handled inside Customer’s dedicated Anypoint Monitoring implementation. The dedicated Anypoint Monitoring is available to Customers under the Titanium subscription. PHI should further be restricted by using the tokenizer connector where applicable. Anypoint Monitoring non-dedicated environment is not covered by the BAA.
  • Anypoint MQ: PHI must only be transmitted to and processed by encrypted queues, or payloads that were encrypted by Customer before publishing messages to Anypoint MQ. The time-to-live (TTL) should be set to the minimum value needed. Non-encrypted queues are not covered under the BAA.
  • Anypoint Object Store v2: PHI must only be transmitted to and stored in Object Store v2 for the minimum amount of time necessary for the workload. This requires Customer to set the appropriate time-to-live (TTL). Object Store v2 is not designed for permanent storage.
  • Anypoint Security: Anypoint Security is a set of features that can help Customers secure their PHI within the context of an application network. However, PHI must only be transmitted and processed by CloudHub runtimes running inside a CloudHub Virtual Private Cloud connected to an Anypoint Platform organization with a valid and signed BAA.

In a CloudHub Virtual Private Cloud, runtimes are able to communicate with each other internally as well as externally. If Customer’s application transmits PHI, such application must encrypt the PHI in transit. Customer must validate that PHI is encrypted in the payload and/or in the transmission.

CloudHub provides access to log data that includes deployment messages and events for each worker. CloudHub stores logs of up to 100 MB per application per worker, or for up to 30 days, whichever limit is reached first. If CloudHub Application Logs need to be archived or downloaded for audit, analytics or similar purpose on regular intervals, please use Custom Log Appender to extract logs.

If Customer uses CloudHub application logging, then Customer must not transmit PHI in the log stream. It is Customer’s responsibility to ensure that PHI does not enter the log stream by ensuring that:

  1. PHI is not accidentally logged by custom configuration of logging parameters,
  2. PHI is not included in the URL or query string submitted to web processes and logged by the Anypoint Platform, and
  3. PHI is not printed to stdout by the application process.

Customer can transmit PHI in the log stream when using a custom log appender and sending all logs to the source of the Customer’s choosing (Splunk, ELK, etc.). It is Customer’s responsibility to ensure that such transmission and subsequent handling by the receiving log capture service meet HIPAA requirements.

If Anypoint Monitoring Logging is enabled in the dedicated option available under the Titanium subscription then Customer may transmit PHI in the log stream, or use the log tokenization connector to tokenize the logs or items in the logs. It is Customer's responsibility to ensure such transmission, and subsequent handling, meet HIPAA requirements.

Service Cloud Voice

Bring Your Own Telephony (BYOT)-based implementations of Service Cloud Voice must be manually configured by Customer. Customer is responsible for ensuring that its use of any third-party telephony service in conjunction with Service Cloud Voice meets HIPAA requirements.

Slack Enterprise Plans

Prerequisites to BAA Coverage
1. Enterprise-Level Slack Plan. Customer must purchase an enterprise-level Slack plan.
2. Written Notice to Slack of Permitted Organizations or Workspaces. To ensure workspaces are properly provisioned and supported, Customer must notify Slack in advance in writing of the name and URL of each organization or workspace with which Customer intends to submit, collect, or use PHI. For Enterprise Grid customers, Slack will enable the backend HIPAA flag for all workspaces within the designated organization, including new workspaces later created within that organization. Please note that BAA coverage will NOT automatically extend to every organization or workspace owned by a given Customer.
3. Written Confirmation from Slack of Backend HIPAA Enablement. Once Slack has confirmed in writing (including by email) that the organizations or workspaces are approved, the BAA will apply to them.
Required Slack Limitations for PHI
By purchasing Slack, Customer has available the full capabilities of the purchased Slack services. However, if Customer or Customer’s users transmit, upload, or communicate about PHI through the Slack services, Customer must comply with the following limitations:
1. Slack Users. The Slack services are designed for work collaboration but may not be used to communicate with patients, plan members, or their families or employers. Patients, plan members, and their families or employers may not be added as users or guests to any Slack workspaces or channels.

2. PHI-Prohibited Slack Fields. Users may not include PHI in any of the following:

Users may include PHI in the contents of messages, files, huddles, and video and audio clips.

3. Support Requests. When initiating a support request through any means—including through a “/feedback” command in a Slack channel, through the Slack website “Contact Us” page, or through Slack’s Live Chat offering—users must not include any PHI in the support request or attach any screenshots or documents that include PHI.
4. Email Ingestion. Users that transmit or receive any PHI by email must not use Slack’s native email ingestion capabilities to forward emails into Slack.
5. Slack Connect. Slack Connect allows users from different companies to communicate and collaborate right in Slack. If Customer uses Slack Connect to communicate between two separate organizations, Customer must ensure that Customer has the appropriate permissions, where necessary, to share PHI with such recipients and that such communications comply with applicable legal requirements.
Slack Guide for HIPAA Entities
Customer must also review and appropriately inform its users regarding the Slack Guide for HIPAA Entities, as updated from time to time.  It is Customer’s responsibility to ensure that the configuration limitations included within the Slack Guide for HIPAA Entities work with Customer’s desired use of the product.

HIPAA Covered Services

The online services listed below provided to Customer by SFDC comprise the “HIPAA Covered Services”; provided, however, that the HIPAA Covered Services do not include any portion of such Services that are deployed on Customer’s premises. Unless specifically noted below, the HIPAA Covered Services include the online services when operating on Salesforce first party infrastructure, Hyperforce (formerly Salesforce Unified Cloud) infrastructure, or other public cloud infrastructure.

B2B Commerce (formerly branded as CloudCraze)

B2B2C Commerce (formerly branded as 1Commerce), but only when provisioned on Salesforce first party infrastructure

B2C Commerce Services presently branded as Commerce Cloud Digital (B2C Commerce GMV or B2C Commerce PPO)3

Chatter

Database.com

Datorama Services presently branded as Datorama, but only when provisioned on infrastructure provided by Amazon Web Services in its capacity as an SFDC Subcontractor, and Datorama Reports for Marketing Cloud3

Digital Process Automation3

Einstein Services presently branded as Einstein Bots, Einstein Case Classification, Einstein Prediction Builder, and Einstein Vision and Language3

Emergency Program Management

ExactTarget

Experience Cloud (formerly branded as Communities or Community Cloud)

Government Cloud Plus infrastructure environment3

Health Cloud

Heroku Services presently branded as Heroku’s Shield Private Spaces, Shield Private Dynos, Shield Connect, Shield Private Postgres, and Apache Kafka on Heroku Shield3

Intelligent Form Reader, but only when used in conjunction with the HIPAA Covered Services identified herein3

Interaction Studio (exclusive of Interaction Studio (Legacy)), but only when provisioned on infrastructure provided by Amazon Web Services in its capacity as an SFDC Subcontractor3

IoT Explorer

Lightning B2B Commerce

Lightning Platform (including Force.com and Salesforce Surveys)

Mulesoft Services presently branded as Anypoint Runtime Manager, Anypoint Monitoring, Anypoint MQ, Anypoint Object Store v2 and Anypoint Security3

Nonprofit Cloud Case Management, but only when provisioned on Salesforce first party infrastructure

Quip Services presently branded as Quip Starter, Quip Enterprise, Quip for Salesforce, Quip Virtual Private Cloud, Quip Mobile, and Quip Live App Platform

Sales Cloud

Marketing Cloud Customer Data Platform (formerly branded as Customer 360 Audiences)

Salesforce Maps Services presently branded as Salesforce Maps, Salesforce Maps Advanced, Territory Planning, and Live Tracking

Salesforce Mobile app

Salesforce Order Management

Salesforce Private Connect

Service Cloud (including Field Service (formerly branded as Field Service Lightning) and Live Agent)

Site.com

Service Cloud Voice, but only when provisioned on Salesforce first party infrastructure and Hyperforce infrastructure3

Slack Enterprise Plans (once confirmed by Slack to be HIPAA-enabled)3

Tableau CRM (formerly branded as Einstein Analytics)

Vlocity Health package, but only when provisioned on Salesforce first party infrastructure