Does my CRM need to be HIPAA compliant?
Healthcare has been at the forefront of technology adoption for several decades now, so it should come as no surprise that they've also become early adopters of cloud-based systems like Salesforce's Chatter, Microsoft Dynamics GP (now called Dynamics 365), Oracle Ease 10g, etc. But these are just some examples — there are dozens more in this list alone. And while many companies have adopted new technologies with ease and grace, healthcare organizations are still struggling to adopt technology in general. There are numerous reasons why, but one major obstacle stands out above all others — HIPAA compliance.
HIPAA was enacted by Congress back in 1996 in an effort to improve patient privacy and data security across health care providers nationwide. While HIPPA originally focused on protecting electronic medical records from unauthorized access or disclosure, today HIPAA covers much broader territory. In fact, if you're using any sort of computerized record keeping system such as a Customer Relationship Management (CRM) solution, then you may find yourself falling under its purview. Here we'll take a look at what exactly HIPAA considers "electronic transactions" and whether your current CRM can handle those requirements. Let's start with why HIPAA exists...
The original intent of HIPAA was to prevent third parties from accessing private information about patients without their knowledge. The law states, "No payment shall be made to secure information divulged pursuant to [the Act] unless consent is informed." However, HIPAA does not protect against unencrypted personal information. For example, if I were to ask you for your social security number, driver’s license number, birthdate, mother's maiden name, pet names, phone numbers, address, email, street view, house/apartment details, family members' full names, spouse’s date of birth, children’s dates of birth, father’s occupation, children’s ages when they began school, pets' names, etc., would you feel comfortable giving me that information? If not, chances are pretty good that HIPAA won't do anything to help you get rid of your paper files! So let's move forward assuming that you don't want to store sensitive information electronically either.
So how should a business comply with HIPAA? Well, here's where things get tricky. When most people think of HIPAA, they automatically assume that they must implement a comprehensive program designed specifically to meet HIPAA standards. Unfortunately, that isn't always true. According to the U.S. Department of Health & Human Services Office for Civil Rights, "[t]he HIPAA Privacy Rule requires covered entities to maintain safeguards appropriate to the nature of the information being collected, including administrative, technical and physical safeguards." It goes on to state that "Covered entities must ensure that protected health information remains confidential except to the extent necessary to carry out specific duties required by federal civil rights laws..."
As such, HIPAA often times places responsibility for ensuring confidentiality onto other parts of the organization rather than requiring them to create entirely separate systems. As long as you know your responsibilities within the context of your own company policies and procedures, HIPAA shouldn't cause too much trouble. We recommend looking at our previous post regarding HIPAA Compliance Best Practices which will give you a better idea of how to proceed.
With that said, the question becomes "does my existing CRM platform fit within the scope of 'protecting the privacy of individually identifiable health information?'". To answer this question, we first need to understand what HIPAA defines as "individually identifiable health information", or IHI. According to HHS OCR, IHI includes the following categories:
First NameLast InitialMiddle initialDate of BirthSexSocial Security NumberIdentifier assigned to individual in the case filePatient Identification NumberExtension(s) of Patient IdentifierDiagnosis CodesProcedure codesBilling Information
In addition, according to Section 164.514(a)(1), IHI means "any distinct identifier used by, or reasonably derived from, an entity... to identify an individual who had an established relationship with the covered entity...." With these definitions in mind, let's break down each category to see how your current CRM fits within the realm of IHI. First off, if you currently utilize contact management tools such as Outlook, Gmail, Google Contacts, LinkedIn, Facebook Connect, Twitter, etc., then yes, those platforms fall squarely within the definition of IHI. Many of these services already require users to provide certain personal identifiers before granting permission to connect accounts, and therefore these connections qualify as having an established relationship with the user.
However, if you haven't connected your account to another service yet, or you simply prefer to keep your contacts stored locally, then your local database doesn't necessarily count as IHI because it hasn't been linked to anyone yet. Additionally, many vendors offer "social media connectors" which allow you to import your online friends lists directly into your CRM. Since these networks make up public profiles which contain personal information, they certainly could be considered part of your "established relationships" with individuals. But again, since your CRM only imports publicly available data, it wouldn't technically constitute IHI until you actually link it to someone else's account. That said, you might consider linking your customers' profile pictures to their corresponding customer IDs thereby incorporating their photos into what amounts to an "individual ID". For instance, John Smith's photo could appear next to his ContactID #123456789.
On top of that, remember that even though HIPAA applies to both internal employees and external clients, the privacy rule itself refers to "an individual" five times throughout the text. Therefore, if you share an employee login id with multiple people, then those particular logins definitely would be classified as "identifiers" subject to HIPAA guidelines. Your HR department probably handles this issue differently depending on your industry, however, if you work for a large corporation with lots of different departments involved in interacting with customers, this could very well apply to you.
Finally, although HIPAA compliance is generally handled by IT personnel, sometimes end users themselves may be responsible for making sure their own solutions stay HIPAA Compliant. For example, if you run a practice and accept credit card payments over the counter, you likely aren't concerned about HIPAA compliance since you never touch the cards. Likewise, if you sell products through Amazon Marketplace, you probably don't worry about HIPAA since you never receive Personally Identifiable Information (PII). Also, if you use Google AdSense to display ads on your website, you probably don't worry about HIPAA since you don't collect PII. On the flip side, if you run a business that takes orders via eBay, PayPal, Stripe, Square, 2Checkout, Braintree, Authorize.net, Paypal Pro, etc., then you absolutely must follow HIPAA guidelines. You're collecting PII every time someone submits an order.
If you answered "yes" to any of these questions, then congratulations! Now comes the hard part - finding a suitable replacement. Are you ready to upgrade?
Healthcare apps are a hot topic of conversation right now, especially when it comes to improving patient safety (e.g., preventing medication errors). And with good reason -- healthcare has been plagued by serious issues like infections from unsterile medical devices, prescription drug overdoses, etc. In addition, many people have fallen victim to identity theft in recent years due to data breaches at major hospitals and other health care providers.
Given these risks, you may wonder if your cloud-based customer relationship management system needs to be certified as Health Insurance Portability and Accountability Act (HIPAA) compliant before any information can be shared or accessed. The answer is yes... but there are some exceptions. We'll cover all this important info below!
First things first... What exactly does HIPAA compliance mean anyway? According to the Department for Homeland Security's website: "The Privacy Rule was enacted on April 21, 2003 and went into effect on May 1, 2004. It applies both to existing systems and new ones that do not meet security standards." So basically, it means that your organization must take certain steps in order to protect patient records against unauthorized access, alteration, disclosure, and destruction. That includes ensuring that only authorized individuals have physical access to those records and training employees who handle protected health information about their duties and responsibilities regarding privacy laws.
Now that we know what HIPAA entails, let's talk about which popular CRMs qualify as being HIPAA compliant. There are three main players here: Microsoft Dynamics 365, Salesforce, and SAP SuccessFactors. If one of these platforms suits your business' unique requirements better than others, then you're probably safe using whichever platform works well within your environment. However, keep reading so you don't end up wasting time looking through endless lists of features. Here are each company's official certifications:
Microsoft Dynamics 365
According to an email received from Microsoft Dynamics general manager Mike LeBlanc, the following solutions are considered HIPPA-compliant:
Dynamics GP - A point-of-sale application.
Power BI Desktop - An enterprise analytics solution.
Office Online/Outlook Web App - Email service provider.
Azure AD & Office 365 Groups - Directory services.
Project Server 2016 - File shares.
There were no specific mentions made of Microsoft Dynamics NAV or Dynamics AX.
For Salesforce's part, its HIPAA compliance status depends upon whether or not your account uses SFDC Cloud Hub, S1Cloud, Lightning Experience, or Communities. Let's go over these options one by one:
SFDC Cloud Hub: All standard Salesforce applications pass HIPAA certification unless they contain sensitive financial or PII information. For example, if you use standard Lead Generation Forms, including Standard Name Plate Fields, Customer Portal, VF pages, Campaigns, Opportunities, Cases, Accounts, Contacts, and more, then you're fine without having to get special permission to store and share such sensitive data.
S1Cloud: Any app designated as S1Cloud will automatically become HIPAA-compliant since every page contains a link to an external site where you can find out about additional details related to your request. As long as the content isn't directly entered via text boxes, fields, menus, etc., then everything should fall under HIPAA exemption 3—which allows companies to collect and maintain personal information necessary for conducting day-to-day activities.
Lightning Experience: Lightning Experience users can rest easy knowing that it passes HIPAA certification because it doesn't allow customers to enter sensitive data directly via forms or tabs. Instead, Lightning Experience provides links to third party sites whenever needed.
Communities: Unfortunately, Communities won't make the cut here because they host user-generated content like FAQs, articles, blogs posts, photos, videos, documents, images, etc. Since most of these items could potentially include private information, even though Community members aren't entering said information themselves, the risk still exists.
As far as overall Salesforce HIPAA compliance goes, if you see anything labeled as S1Cloud, then you're pretty much set. Beyond that, however, it gets trickier. For instance, say you want to create a form to send out bulk emails to current clients. You'll have to decide whether or not you want to save that form locally on your computer and edit it manually. Or would you rather rely on something like Sendable Forms, which lets you design custom contact forms quickly and easily? Both approaches carry different levels of risk depending on your particular situation. On top of that, if you'd like to integrate an API tool like Zapier, then you'll also run into problems because those tools require direct input from a user.
If you plan on doing either of these last two scenarios, then I recommend taking advantage of our free Salesforce course covering integration techniques with Zapier. Otherwise, consult with your IT department to see what your final decision will look like.
Since Chatter passed HIPAA certification back in 2015, it's safe to assume that any updates made after that date comply with HIPAA guidelines. But if you want to ensure that you stay covered regardless, just check the documentation inside Chatter itself. Specifically, scroll down to the section titled Your Data and Activity Settings.
Underneath Advanced settings, click on Manage Access Control Lists. From there, select Add New List and follow the prompts to name your list. Once done, hit Save Changes and you're all finished.
Once again, there weren't any specific mentions made of Service Cloud or Demand Center. If you used those products prior to June 6th, 2021, then you're safe to continue using them until further notice. After that date, however, you should start implementing proper security protocols.
You might've noticed above that we mentioned adding a new list specifically. Keep in mind that you can add multiple lists per Organization unit if desired. To delete a list, simply navigate to My Workspace " Lists " [Listname]. Then choose Delete Selected List.
Is Salesforce pardot HIPAA Compliant?
Pardot recently announced its own version of HIPAA Compliance Certification, so you can feel confident in saying that it's HIPAA compliant too. Like Chatter, Pardot offers full control over access controls with customizable profiles. Additionally, Pardot integrates seamlessly with several third-party APIs, meaning that you can connect to lots of useful integrations while avoiding any potential pitfalls.
But wait, didn't we mention earlier that you shouldn't use integrated tools? Yes, but Pardot is slightly different. Unlike Chatter, Pardot doesn't provide users with access to raw data, nor does it give them the ability to post messages publicly. Furthermore, users can't change permissions or customize their profile views.
Instead, Pardot relies heavily on automation and machine learning algorithms to determine relevant communications based on past interactions between parties involved. When dealing with highly confidential information, this approach makes sense. Also worth mentioning is that Pardot supports multi-tenant environments, allowing organizations to separate their data across various accounts.
So why don't we consider Pardot fully HIPAA compliant? Because unlike Chatter, it lacks support for live chat functionality. While this feature isn't mandatory, it helps to facilitate real-time communication, particularly when working remotely. Lastly, there wasn't any mention of integrating with third-parties, so that aspect alone might prevent us from giving it 100 percent.
That wraps up today's discussion on whether or not your favorite cloud-based CRM qualifies as HIPAA compliant. Now that you understand the ins and outs behind HIPAA compliance, hopefully you'll feel more comfortable making decisions moving forward. Don't forget to read our next blog post detailing how to implement HIPAA compliance into your workflow efficiently.
We hope you never experience a HIPAA breach or leak, but if you ever do, you'll definitely appreciate knowing immediately. With a little bit of foresight, you can avoid becoming another statistic. Stay vigilant by keeping track of your passwords and changing them regularly. Also, make sure you monitor phishing attempts.
And for anyone interested in finding out more about HIPAA, remember to visit the U.S. Government's HIPAA Website.
The Health Insurance Portability and Accountability Act (HIPAA) was introduced by Congress on August 1, 1996 as part of the Omnibus Budget Reconciliation Act. The act aimed at protecting personal health information from being misused or incorrectly used by those who are not authorized access to it. It also sought to improve efficiency among health care providers.
For an organization that handles sensitive data such as patient records, this can create many challenges. A good example would be when using paper-based systems for medical billing purposes. If these were lost or stolen, they will contain highly confidential information about patients and their physicians. On top of that, if there is no security measures put in place to prevent unauthorized users from accessing this information, it could cause serious financial repercussions. An audit may find out that certain accounts have been overbilled or underpaid, thereby putting the business in question. In addition, the loss or theft of electronic files containing protected health information can result in fines or even penalties imposed upon businesses.
In order to avoid any potential violations caused due to lack of proper protection, organizations must ensure compliance with HIPPA's privacy provisions. As you might expect, HIPAA compliancy requires strict adherence to guidelines set forth by federal law. These include:
· Access control procedures which specify who has permission to view individual patient health information.
· Security safeguards like encryption technology, server audits, firewall monitoring and other methods designed to safeguard critical areas of confidentiality.
A good example of a company that successfully implemented HIPAA into its operations is Apple Inc., one of America’s largest computer companies. They use secure communication channels through encrypted emails and servers to maintain confidentiality during transmission. Their employees receive training regarding HIPAA's requirements so they know what steps to take once they handle private client information.
This article aims to answer whether your Customer Relationship Management (CRM) solution needs to comply with HIPAA. What is a HIPAA compliant CRM? Does your CRM need to become HIPAA Compliant? And finally, what should you do now to make sure it does? Let us start answering these questions.
What is a HIPAA compliant CRM?
As mentioned previously, in order to function smoothly, a CRM application needs to follow HIPAA standards. That means that all data transmitted via email and stored within the database should be fully secured and encrypted. For instance, whenever someone sends you an attachment via e-mail, it first passes through an encryptor before reaching you. Once received, you open the file using special programs only available to yourself. When uploading documents onto the CRM system, you should always attach them as attachments instead of embedding them directly into messages. Embedding allows others who have physical access to the hard drive where the document exists to see it without authorization. Also, never share logins or passwords for your account unless necessary.
If you want to get technical here, HIPAA defines "protected health information" as follows:
· PHI includes demographic/identifying information such as name, social security number, address, etc.;
· Protected Identifier Information refers to health insurance numbers assigned to individuals by insurers, including HMO IDs;
· Prescription Drug ID Numbers refer to drug identification numbers issued by pharmacies;
· Medical Device Identification Numbers identify devices implanted in humans;
· Mental Health Related Information includes diagnoses, treatment plans, prescriptions, referrals, etc.
With regards to HIPAA Compliance, there are three things you should look for in a CRM platform. First off, ask yourself why you need a HIPAA compliant CRM. Is it because you plan to expand internationally? Are you looking for a way to streamline workflow processes between multiple locations? Or maybe you just want to keep up with industry trends. Whatever the reason is, it is important that you choose a CRM specifically built to meet HIPAA standards. You don't want to end up having to spend hours trying to integrate a new product with your current environment. Ideally, you should select one that already incorporates HIPAA features right out of the box. Some vendors offer this but most require some customization depending on your specific needs.
Secondly, check to see if your chosen vendor supports two-factor authentication, multi factor authentication, ISO 27018 certification, SSL certificates, and tokens. Multi-factor Authentication is essentially requiring more than one form of verification when logging into your account. Two-Factor Authentication uses both password credentials and biometric factors to verify user identity. Most often, this involves sending codes to cell phones or text message alerts sent to mobile apps. Tokens can come in different forms such as USB drives and smart cards. With tokenization, you can store 2FA keys securely while keeping them separate from your regular login details. Finally, ISO 27018 Certification ensures that the provider adheres to international standards for privacy practices. SSL Certificates protect communications between web browsers and websites against eavesdropping attacks. Lastly, support for FIPS 140-2 Level 2 validation is another indicator of high quality service and products offered by the company. Finally, it is worth noting that supporting PCI DSS compliance doesn't necessarily mean that your solution is HIPAA compliant. However, if it happens to pass the above tests then it is certainly better equipped to deal with HIPAA issues than non-compliant ones.
Lastly, consider the fact that HIPAA compliance comes down to ensuring that your entire infrastructure meets HIPAA Standards. After all, everything involved in transmitting electronic information must adhere to HIPAA's stringent policies. To help illustrate this point further, think back to when you send an e-mail. There is an underlying protocol that governs how it travels across networks. If you were to examine how long your message takes to reach its destination, you would probably notice that each packet contains an IP Address embedded within it along with numerous other identifiers. Your internet browser knows exactly how to route traffic based on this information. Similarly, when building a network, routers assign unique identifying labels to every node connected to it. Every device connected to the Internet receives instructions on how to communicate with other nodes based on this information. All of this occurs automatically behind the scenes without your knowledge. Likewise, any time your online banking session ends, the bank asks your router to update the table indicating where to forward future requests. Without the correct routing protocols in place, none of this would work properly.
So to summarize, we've discussed why you need a HIPAA compliant CRM and what you should look for in a HIPAA compliant CRM. Now let us explore how HIPAA affects existing customers and small businesses.
Small Businesses and Existing Customers - How HIPAA Affects Them
Let's say you're a small business owner who wants to upgrade your customer relationship management (CRM). According to statistics provided by Gartner Research, roughly 95% of SMBs fail to achieve their goals when it comes to improving productivity, profitability, managing risks, and gaining competitive advantage. So it shouldn't really surprise anyone that there isn't much literature written about how HIPAA affects smaller firms. But there are still a few things you should know. First off, HIPAA applies to everyone regardless of size or type of business. Second, you can't simply ignore HIPAA and hope it goes away. Any violation can lead to steep legal consequences ranging anywhere from fines to imprisonment. Third, if you run an established business, chances are you won't have to worry too much about complying with HIPAA since you're likely dealing with the same people day after day. Fourth, larger enterprises with hundreds or thousands of clients can easily afford to hire specialists to assist them in meeting HIPAA's requirements. Smaller businesses however, usually rely solely on themselves to manage their own affairs. Hence, it becomes increasingly difficult for smaller companies to stay abreast with ever changing laws and regulations. Fifth, HIPAA mandates that covered entities notify affected parties before changes occur. Those impacted must be given ample opportunity to opt out of coverage. Sixth, covered entities aren't allowed to disclose protected health information to third party contractors except in very limited circumstances. Lastly, if you are planning to merge or acquire another firm, you'll have to determine whether they fit into this category. Otherwise, you will have to renegotiate contracts with them to allow for sharing of data.