Before my time at Cloud for Good, I worked for a medical transcription company as a Microsoft Network Administrator. Soon into my role, HIPAA was introduced and I was also asked to serve as our HIPAA Security Officer. In discovering that new role and HIPAA regulations, I learned valuable lessons on the importance of information security that I have kept with me throughout my career in the Salesforce ecosystem.
With the wide-ranging consequences of last year’s Blackbaud breach still being felt by many across industries today, this breach was so devastating because Blackbaud was unable to say what exact data was touched. My previous position taught me that if you cannot pinpoint what exact data was accessed during a security breach, the assumption becomes that all data was accessed. These assumptions can carry serious consequences in organizations managing large amounts of personally identifiable information (PII), such as hospital foundations, even if they are not directly responsible for sourcing the patient information. Blackbaud customers were left with the incredibly daunting task of letting their donors, program participants, patients, and many others know that the information stored within their Constituent Relationship Manager (CRM) had been compromised.
Governance Surrounding the Healthcare Industry
Moments like these make me thankful to be in the Salesforce ecosystem. Salesforce security is constructed in such a way to prevent this kind of oversight and is uniquely positioned to assist our clients in meeting HIPAA and PHI security standards. We published a blog last month on how security impacts the nonprofit sector. Now, I would like to breakdown security in the healthcare sector and analyze how Salesforce can help empower their protection.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is a national security standard protecting sensitive patient health information from being disclosed without the consent or knowledge of the patient. Via the HIPAA Privacy Rule, the individual’s medical records and other personal health information are protected, with these protections applied to health plans, health care clearinghouses, and health care providers that conduct health care transactions electronically. With these protections in place, HIPAA also ensures that all health information is allowed the flow needed to provide and promote high-quality health care and to protect the public’s health and well-being.
Personal Information Protection and Electronic Documents Act (PIPEDA)
Similar to HIPAA, PIPEDA is Canada’s federal law protecting patient privacy. The main difference between these two acts is that PIPEDA applies to all personal data, not just the information collected from the healthcare industry. This means any personal information shared through electronic commerce requires the organization’s collection to protect the individual’s data privacy and obtain consent from the individual when they collect, use, or disclose that information. Keep in mind that this act only applies to commercial use, so nonprofits, charities, and associations with a political affiliation are not required to protect an individual’s information under PIPEDA. Even with that in mind, Salesforce and Cloud for Good always architect their solutions to ensure data privacy beyond the limits of local regulations.
Protected Health Information (PHI)
Digging deeper, the term Protected Health Information (PHI) refers to the health data created, received, stored, or transmitted by HIPAA-covered entities and their employees. This protected information, according to HIPAA Journal, relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. This refers directly to any information transmitted or maintained in electronic media or any other form or medium.
Personal Health Information Protection Act (PHIPA)
Protected health information is also uniquely protected in Canada through PHIPA. Similar, yet different, to PIPEDA, PHIPA’s purpose is to regulate the collection, use, and disclosure of personal health information through maintaining the confidentiality of individuals living within Ontario. PHIPA also applies to “health information custodians,” not just organizations involved in commercial activities. This means that health care practitioners, health service providers, hospitals, medical facilities, pharmacies, laboratories, and boards of health are all responsible for PHIPA compliance.
Safeguarding PHI with Salesforce
Here’s where Salesforce comes in: the PHI that sits within a system of electronic medical record (EMR) usually originates from that application as the source of truth. Salesforce, acting as the system of engagement receives and stores a copy of some of that data to be used in Health Cloud for patient experience communities, or Service Cloud for patient customer service, or by the hospital’s foundation for patient engagement and fundraising. This data can be susceptible from a security perspective during the integration, or the transfer of that data back and forth between the EMR and Salesforce, and again as it is stored in Salesforce; both scenarios must be accounted for.
System integration is often one of the first areas of a project where budget cuts are attempted to be made. Reducing an integration to an export of a flat file, saved centrally on a network, and then uploaded on a recurring basis to Salesforce may seem like a cost-saving solution, but the security risks may outweigh the cost of using a proper iPaaS solution like MuleSoft or Jitterbit. These beyond-ETL tools have their own security architectures to ensure appropriate user access and encryption of the data while being moved between applications.
Salesforce has taken great strides to ensure its HIPAA compliance. One of those strides includes the Salesforce Shield product. Salesforce Shield is an additional enhancement that helps to strengthen security, trust, transparency, compliance, and governance across your Salesforce organization. Several configurable settings for access permissions and requests exist within Salesforce Shield to ensure only those that absolutely need to see certain sensitive data are the ones accessing said data.
Cloud for Good client Duke Health, for example, utilizes a custom configuration to protect the nature of patient appointments. A user might go into their scheduling to see when an appointment takes place but, depending on the user’s access and permissions, they might not see what the appointment is for or who the patient is. Filters and routing rules help to protect patient information at every step of the process, ensuring that information is only provided to those on a need-to-know basis.
Using Salesforces Nonprofit Success Pack (NPSP), Duke Health Development and Alumni Affairs were both able to alleviate bottlenecks, improve collaboration, and ultimately raise more funds to support breakthroughs in lifesaving care.
With the right mindset and technology in place, we can protect the privacy of healthcare patients and help them build better relationships with their hospitals. The sanctity of security becomes increasingly important with each new technological innovation. Failing to maintain security and protect the information of our patients, students, and customers can result in lawsuits and hits to our reputation. More than that, however, it breaks down the trust our technology was designed to protect. There is no such thing as too much security nowadays, and Salesforce is leading the charge in creating peace of mind across industries and sectors.