Business Associate Addendum Restrictions

Last updated on: July 12, 2021
 
This article provides guidance about the Salesforce HIPAA Business Associate Addendum (“BAA”) 1 that Salesforce offers Customers for the HIPAA Covered Services (as defined below) that are covered under the BAA, as discussed below. For Customer’s use of a HIPAA Covered Service to be covered by the BAA: (1) Customer and Salesforce must sign a BAA that expressly includes the HIPAA Covered Service; and (2) Customer must comply with the terms of the BAA and this article, to the extent applicable. In the event of a conflict between the BAA and this article2, the terms of the BAA govern.

Use of PHI with HIPAA Covered Services

When submitting PHI to, or using PHI with, any of the HIPAA Covered Services, Customer must ensure that the submission of PHI to, or use of PHI with, those HIPAA Covered Services is made in accordance with Salesforce’s Acceptable Use and External Facing Services Policy, at https://www.salesforce.com/company/legal/agreements/.

Encryption

It is Customer’s responsibility to ensure the secure transmission of PHI data to and from the HIPAA Covered Services.

Customer must encrypt all PHI: (1) transmitted using the HIPAA Covered Services; and (2) to the extent within Customer’s control, stored in the HIPAA Covered Services. That encryption must be consistent with the Secretary of HHS’s Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals, available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html, as it may be updated from time to time, and as may be made available on any successor or related site designated by HHS.

Service-Specific Restrictions

B2C Commerce Services

The B2C Commerce Covered Services extend Salesforce-maintained cryptography libraries that enable Customer to encrypt, sign, and generate cryptographically strong tokens and secure random identifiers. Customer must implement cryptography whenever Customer stores, processes, or transmits PHI.

Notwithstanding the foregoing, Commerce Cloud Einstein (including services formerly branded by Demandware as Predictive Email) is not covered by the BAA.

Datorama Services

Customer must encrypt PHI whenever Customer stores, processes, or transmits PHI. Customer must not use R_Script functions within calculations with respect to data containing PHI. When creating a custom visualization of the data canvas and/or writing custom code, Customer must ensure that all external resources are HTTPS-based.

Unsecured connections such as HTTP must not be used. When using email to transmit PHI to Datorama, the email provider must support and use encryption.

PHI must not be transmitted to Datorama with FTP or with the “control+shift” connector. Connectors downloaded from the marketplace from any vendor other than Datorama must not be used to transmit PHI. If Customer writes its own custom connector, the connector must only transmit PHI through secure HTTPS calls.

When using the python retrieval method, Customer must not insert any python code which contains “http” or other unsecured calls. When PHI is connected or retrieved live through direct connect to a database using a connection string, SSL must be stated.

When PHI is transmitted from the Datorama Services, secure HTTPS connections must be used. PHI must not be transmitted from the Datorama Services with FTP. When using email to transmit PHI from the Datorama Services, the email destination provider must support encryption.

Einstein Services

The Einstein Services are not intended: (1) to be used as a substitute for professional medical or healthcare advice, diagnosis, or treatment; (2) to be used as a medical device, software, or software function for the direct diagnosis of, or in the direct mitigation, treatment, or prevention of, a disease or other condition; or (3) to otherwise infer, predict or interpret an individual's medical or health diagnosis, condition, status, program eligibility, or outcome.

With respect to Einstein Bots, Customer may not: (a) submit PHI to, or use PHI in, any utterance records; or (b) enable any Answer Automation or Input Recommender features or functionality of Einstein Bots that could result in the submission or use of PHI therein.

Government Cloud Plus infrastructure environment

If Customer elects to configure a network connection that terminates outside of the Salesforce Government Cloud Plus environment, Salesforce assumes no responsibility to protect the Customer-configured connection. If Customer configures PHI to be transmitted over a Customer initiated connection, the Customer is responsible for ensuring the connection uses TLS encryption.

Heroku Services

The following restrictions apply to the relevant Heroku Services:

  • Shield Private Spaces: PHI must only be handled inside Shield Private Spaces. Standard Private Spaces and the Common Runtime are not covered by the BAA.
  • Shield Private Dynos: PHI must only be transmitted to and from, and processed by, Shield Private Dynos running inside a Shield Private Space. No other dyno types are covered under the BAA.
  • Shield Private Postgres: PHI must only be transmitted to and from, or stored in, Shield Private Postgres Databases running inside a Shield Private Space. No other Heroku Postgres plans are covered under the BAA.
  • Shield Connect: PHI must only be transmitted and processed by Shield Private Postgres running inside a Shield Private Space connected to a Salesforce organization with a valid and signed BAA.
  • Apache Kafka on Heroku Shield: PHI must only be transmitted to and from, or stored in, Apache Kafka on Heroku Shield data services running inside a Shield Private Space. No other Apache Kafka on Heroku plans are covered under the BAA.
  • Heroku Shield Redis: PHI must only be transmitted to and from, or stored in, Heroku Shield Redis data services running inside a Shield Private Space. No other Heroku Redis plans are covered under the BAA.

In a Private Space, Heroku applications are able to communicate with each other over the local dyno network. If Customer transmits PHI over the local dyno network in a Private Space, Customer must encrypt the PHI in transit.

PHI may be stored, processed, and transmitted within Apache Kafka running in a Shield Private Space with two exclusions: Customer may not use PHI as or in any: (1) Topic Name, or (2) Access Control List (ACL).

To the extent Customer includes PHI in its log data, Customer must explicitly enable the Private Space Logging or use equivalent encryption functionality for all log data. Logging in a Shield Private Space can be configured in two ways: Private Space Logging or standard app-level logging. If Customer has not enabled Private Space Logging, Customer must use Shield Private Space standard app-level logging.

  • Private Space Logging. If Private Space Logging is enabled on a Shield Private Space, then Customer may transmit PHI in the log stream. It is Customer’s responsibility to ensure that such transmissions and subsequent handling of PHI by the receiving log capture service meet HIPAA requirements.
  • Standard app-level logging. If a Shield Private Space uses standard app-level logging, then Customer must not transmit PHI in the log stream. It is Customer’s responsibility to ensure that PHI does not enter the log stream by ensuring that:
    • PHI is not inadvertently logged by a Postgres database. Customer may turn off logging for Customer’s Postgres database by using the --block-logs option when creating the database.
    • PHI is not included in the URL or query string submitted to web processes and logged by the Heroku router.
    • PHI is not printed to stdout by the application process.
  • Customer can check if Private Space Logging is enabled for a space with the CLI command:
    • $ heroku drains:get --space acme-space.
    • https://drain.example.com (d.1234abcd-edf8-4321-1234-bf34c9cbda77).

Intelligent Form Reader

Intelligent Form Reader is not intended: (1) to be used as a substitute for professional medical or healthcare advice, diagnosis, or treatment; (2) to be used as a medical device, software, or software function for the direct diagnosis of, or in the direct mitigation, treatment, or prevention of, a disease or other condition; or (3) to otherwise infer, predict or interpret an individual's medical or health diagnosis, condition, status, or outcome.

Mulesoft

The following restrictions apply to the relevant Mulesoft service:

  • Anypoint Runtime Manager: PHI must only be handled inside Customer's dedicated Virtual Private Cloud. PHI should further be restricted by using CloudHub’s Dedicated Load Balancing Service where applicable. CloudHub’s non-dedicated runtime environment is not covered by the BAA.
  • Anypoint Monitoring: PHI must only be handled inside Customer’s dedicated Anypoint Monitoring implementation. The dedicated Anypoint Monitoring is available to Customers under the Titanium subscription. PHI should further be restricted by using the tokenizer connector where applicable. Anypoint Monitoring non-dedicated environment is not covered by the BAA.
  • Anypoint MQ: PHI must only be transmitted to and processed by encrypted queues, or payloads that were encrypted by Customer before publishing messages to Anypoint MQ. The time-to-live (TTL) should be set to the minimum value needed. Non-encrypted queues are not covered under the BAA.
  • Anypoint Object Store v2: PHI must only be transmitted to and stored in Object Store v2 for the minimum amount of time necessary for the workload. This requires Customer to set the appropriate time-to-live (TTL). Object Store v2 is not designed for permanent storage.
  • Anypoint Security: Anypoint Security is a set of features that can help Customers secure their PHI within the context of an application network. However, PHI must only be transmitted and processed by CloudHub runtimes running inside a CloudHub Virtual Private Cloud connected to an Anypoint Platform organization with a valid and signed BAA.

In a CloudHub Virtual Private Cloud, runtimes are able to communicate with each other internally as well as externally. If Customer’s application transmits PHI, such application must encrypt the PHI in transit. Customer must validate that PHI is encrypted in the payload and/or in the transmission.

CloudHub provides access to log data that includes deployment messages and events for each worker. CloudHub stores logs of up to 100 MB per application per worker, or for up to 30 days, whichever limit is reached first. If CloudHub Application Logs need to be archived or downloaded for audit, analytics or similar purpose on regular intervals, please use Custom Log Appender to extract logs.

If Customer uses CloudHub application logging, then Customer must not transmit PHI in the log stream. It is Customer’s responsibility to ensure that PHI does not enter the log stream by ensuring that:

  1. PHI is not accidentally logged by custom configuration of logging parameters,
  2. PHI is not included in the URL or query string submitted to web processes and logged by the Anypoint Platform, and
  3. PHI is not printed to stdout by the application process.

Customer can transmit PHI in the log stream when using a custom log appender and sending all logs to the source of the Customer’s choosing (Splunk, ELK, etc.). It is Customer’s responsibility to ensure that such transmission and subsequent handling by the receiving log capture service meet HIPAA requirements.

If Anypoint Monitoring Logging is enabled in the dedicated option available under the Titanium subscription then Customer may transmit PHI in the log stream, or use the log tokenization connector to tokenize the logs or items in the logs. It is Customer's responsibility to ensure such transmission, and subsequent handling, meet HIPAA requirements.

HIPAA Covered Services

The online services listed below provided to Customer by SFDC comprise the “HIPAA Covered Services”; provided, however, that the HIPAA Covered Services do not include any portion of such Services that are deployed on Customer’s premises. Unless specifically noted below, the HIPAA Covered Services include the online services when operating on Salesforce first party infrastructure, Salesforce Unified Cloud (Hyperforce) infrastructure, or other public cloud infrastructure.

B2B Commerce (formerly branded as CloudCraze)

B2C Commerce Services presently branded as Commerce Cloud Digital (B2C Commerce GMV or B2C Commerce PPO) 

Datorama Services presently branded as Datorama, but only when provisioned on infrastructure provided by Amazon Web Services in its capacity as an SFDC Subcontractor, and Datorama Reports for Marketing Cloud Einstein Services presently branded as Einstein Bots, Einstein Case Classification, Einstein Prediction Builder, and Einstein Vision and Language3

Chatter

Database.com

Emergency Program Management

ExactTarget

Experience Cloud (formerly branded as Communities or Community Cloud)

Lightning B2B Commerce, but only when provisioned on the Salesforce Unified Cloud (Hyperforce) infrastructure

Lightning Platform (including Force.com and Surveys)

Government Cloud Plus infrastructure environment 

Health Cloud

Heroku Services presently branded as Heroku’s Shield Private Spaces, Shield Private Dynos, Shield Connect, Shield Private Postgres, and Apache Kafka on Heroku Shield 

Intelligent Form Reader, but only for the HIPAA Covered Services identified herein3 

IoT Explorer

Mulesoft Services presently branded as Anypoint Runtime Manager, Anypoint Monitoring, Anypoint MQ, Anypoint Object Store v2 and Anypoint Security 

Nonprofit Cloud Case Management, but only when provisioned on Salesforce first party infrastructure

Quip Services presently branded as Quip Starter, Quip Enterprise, Quip for Salesforce, Quip Virtual Private Cloud, Quip Mobile, and Quip Live App Platform

Sales Cloud

Salesforce CDP (formerly branded as Customer 360 Audiences)

Salesforce Maps Services (presently branded as Salesforce Maps, Salesforce Maps Advanced, Territory Planning, and Live Tracking)

Salesforce Mobile app

Salesforce Order Management

Salesforce Private Connect

Service Cloud (including Field Service (formerly branded as Field Service Lightning) and Live Agent)

Site.com

Surveys

Tableau CRM (formerly branded as Einstein Analytics)

Vlocity Health package, but only when provisioned on Salesforce first party infrastructure