HIPAA is the Health Insurance Portability and Accountability Act of 1996. The main documentation about the law is on the U.S. Department of Health and Human Services web site.
HIPAA deals with patient data within health care. Patient data must be protected at all times and there can be huge fines in the millions of dollars for breaches on the security of this data. Just one HIPAA violation could destroy a relationship with a trusted client. In dealing with patient data, you must be constantly aware of this law. Here are eighteen types of patient data identifiers that are protected under HIPAA.
2) Postal Address
3) All elements of date except year
4) Telephone number
5) Fax number
6) Email Address
7) URL Address
8) IP Address
9) Social Security Number
10) Account Numbers
11) License Numbers
12) Medical Record Number
13) Health Plan Beneficiary #
14) Device Identifiers and Serial Numbers
15) Vehicle Identifiers and Serial Numbers
16) Biometric Identifiers(finger and voice prints)
17) Full face photos and other comparable images
18) Any other unique identifying number, code or characteristic
This seams like a lot of different kinds of data, but the main point to keep in mind is that if a piece of data could potentially tie a patient to some type of medical record, then it is protected. Always error on the safe side and assume it is HIPAA data.
So what are some ways to protect this data in relation to Salesforce?
1) Within Salesforce.
Here is the link to Salesforce’s web site referencing health care.. A more specific link from Salesforce regarding privacy laws like HIPAA is here. Salesforce is saying that it is providing a platform that can protect HIPAA data with the correct processes in place. Within Salesforce fields can be encrypted so that only users with specific permissions can see the unencrypted data. Custom encryption routines could also be put in place depending on the requirements of the project. Here is a fifty minute YouTube video explaining HIPAA and HITECH compliance with Salesforce.
2) Integrations with Salesforce.
If data needs to move between Salesforce and another system through an integration make sure that the connecting pieces are also compliant. If you are just moving your data to Salesforce directly from a local database then you are all set because the Salesforce APIs are all passwordd/token secured and run under SSL. Custom encryption routines could also be added to both sides of an integration for even more security.
3) Local HIPAA data downloaded from Salesforce.
If data is brought down to a local computer, then this data should be encrypted so that if the local computer was lost or stolen then that data could not be accessed. Sometimes a health-care company will even provide encrypted hard-drives to consulting companies to help in this data protection.
Another image that is helpful when thinking about HIPAA patient data is the parent-child relationship concept. First, recognize when you have patient data just as you recognize when a child is in your care. As soon as recognize that you have patient data, then you are in charge of taking care of that data until it is passed onto someone else. Just like a child is dependent on a parent, the HIPAA data is dependent on its owner to keep it safe.