Is Salesforce HIPAA Compliant? Yes — Only Health Cloud + BAA (2026)

Salesforce can be HIPAA compliant, but only on specific products with a signed Business Associate Agreement (BAA). Most Salesforce editions — including Sales Cloud, Service Cloud, and Marketing Cloud out of the box — are not HIPAA-eligible by default. Salesforce Health Cloud, built specifically for healthcare workflows, is the platform tier explicitly designed to support PHI when paired with a BAA.

The distinction matters because Salesforce is one of the most widely deployed CRMs in the world, and many healthcare practices adopt it for general business workflows before realizing that handling PHI on the wrong edition violates both HIPAA and Salesforce's own terms.

Here is what is covered, what is not, and how to configure Salesforce for HIPAA-compliant healthcare workflows.

Which Salesforce Products Are HIPAA-Eligible?

Salesforce will sign a BAA only for specific products and editions. The HIPAA-eligibility question depends on three things: the product line, the edition tier, and whether you have explicitly contracted for a BAA.

Salesforce Health Cloud — purpose-built for healthcare and life sciences. Health Cloud is the flagship HIPAA-eligible product with native support for patient records, care plans, provider relationships, and clinical workflows. A BAA is available on Enterprise, Unlimited, and Performance editions.

Sales Cloud and Service Cloud (Enterprise+ editions) — eligible for a BAA on Enterprise, Unlimited, and Performance editions when contracted with Salesforce. Standard and Professional editions are not HIPAA-eligible.

Salesforce Platform — eligible on Enterprise+ tiers when bundled with the appropriate contract. Useful for custom healthcare applications built on the underlying platform.

Marketing Cloud — generally not HIPAA-eligible. Salesforce historically does not sign BAAs for Marketing Cloud, and using it to send PHI-containing communications is a contractual violation. Marketing Cloud Account Engagement (formerly Pardot) is also not HIPAA-eligible.

Pardot, Tableau, MuleSoft, Slack — each has its own BAA status that must be evaluated independently. Slack signed a BAA for Enterprise Grid customers after Salesforce's acquisition; Tableau and MuleSoft have their own healthcare contracting processes. Do not assume blanket coverage just because the parent company is Salesforce.

The practical rule: you need an explicit, written BAA for the specific Salesforce product you intend to use with PHI. The presence of a Salesforce contract — even a large one — does not automatically include a BAA.

What Salesforce Provides for HIPAA Compliance

When you deploy Salesforce on a HIPAA-eligible product with a signed BAA, the platform offers a substantial set of compliance-relevant features.

Encryption at rest and in transit. All HIPAA-eligible Salesforce products encrypt data in transit using TLS 1.2 or higher and offer encryption at rest. Salesforce Shield Platform Encryption adds field-level encryption controls for highly sensitive fields, with customer-managed key options on premium tiers.

Granular role-based access control. Salesforce's permission model supports role hierarchies, profiles, permission sets, sharing rules, and field-level security — enough granularity to enforce minimum-necessary access for clinical and administrative roles.

Audit logging. Salesforce Shield includes Event Monitoring, which captures detailed logs of user actions, API calls, login events, and report exports. This satisfies the audit control requirements of the HIPAA Security Rule when properly configured and retained.

Multi-factor authentication. MFA is mandatory for all Salesforce users as of 2022 and is fully supported across HIPAA-eligible products.

Data residency and isolation. Customer data is logically isolated within Salesforce's multi-tenant architecture. Health Cloud customers can specify data center regions for data residency requirements.

Health Cloud-specific data models. Health Cloud provides standard objects for patients, providers, care plans, and clinical encounters — data structures that match HIPAA's PHI definitions and reduce the risk of misclassifying patient data in custom fields.

What Salesforce Does Not Do

Salesforce provides infrastructure and a configurable platform. The compliance program around it is your responsibility.

Salesforce does not classify your PHI for you. If your team enters protected health information into a custom text field on Sales Cloud Standard, Salesforce does not know that field contains PHI. The platform cannot enforce data-handling rules on data it does not know is sensitive. You must build the data model intentionally.

Salesforce does not perform your risk assessment. A BAA covers Salesforce's obligations as a business associate. Your obligations as a covered entity — risk analysis, policies, training, incident response — are entirely yours.

Salesforce does not prevent you from using non-eligible products with PHI. Nothing in the platform stops a marketer from uploading a patient list into Marketing Cloud or syncing PHI into a non-eligible Pardot integration. The compliance failure is yours, not Salesforce's.

Salesforce does not validate your integrations. Most Salesforce deployments connect to email systems, billing platforms, EHRs, and other CRMs. Each integration creates a data flow that needs its own BAA evaluation. Salesforce does not audit your AppExchange installs or your custom API connections for PHI exposure.

Salesforce does not train your staff. Workforce training on PHI handling, role-based access, and breach response is a HIPAA administrative safeguard. Salesforce can support training enforcement through permission gates, but it does not deliver the training itself.

Common Mistakes Practices Make with Salesforce

Storing PHI on Sales Cloud Professional or Service Cloud Professional. These editions are below the HIPAA-eligibility threshold. A BAA is unavailable. Practices often start on Professional, accumulate patient data, then face a costly migration when they realize the gap.

Using Marketing Cloud for patient outreach. Sending appointment reminders, refill notifications, or care campaigns through Marketing Cloud puts PHI in a non-eligible product. Even a "first name + appointment date" combination is PHI when the sender is a healthcare provider.

Assuming a parent contract covers everything. A signed BAA for Sales Cloud Enterprise does not cover Marketing Cloud, Pardot, Tableau, or MuleSoft. Each product line requires its own BAA review.

Loading PHI into AppExchange apps without verifying their BAA status. Many third-party AppExchange apps integrate with Salesforce data but operate as separate vendors. Some have BAAs, most do not. Installing one and connecting it to PHI without verification is a common silent compliance failure.

Using Reports and Dashboards that aggregate PHI. Salesforce reports can export PHI to CSV. Dashboards can be embedded in tools without HIPAA coverage. These export paths often go unmonitored until an audit surfaces the gap.

Storing PHI in custom note fields, attachments, or chatter posts. Free-text fields and Chatter feeds can accumulate PHI in unstructured form, which makes encryption, access control, and retention policies much harder to apply consistently.

How to Configure Salesforce for HIPAA Compliance

Configuration is where the actual compliance work happens. These are baseline settings, not optional.

• Sign the BAA for the specific products you will use. Contact Salesforce account management before any PHI enters the system. The BAA must cover every Salesforce product touching PHI — Health Cloud, Sales Cloud, Platform, etc.
• Restrict your edition selection. Use Enterprise, Unlimited, or Performance editions only. Standard and Professional editions cannot be made HIPAA-eligible regardless of configuration.
• Enable Salesforce Shield. Shield's Platform Encryption, Event Monitoring, and Field Audit Trail are the building blocks for HIPAA-grade encryption and audit logging. Shield is a paid add-on and is required for serious healthcare deployments.
• Configure field-level security on every PHI field. Restrict access by profile, role, and permission set. Audit the configuration regularly.
• Lock down report and dashboard exports. Disable export permissions for any role that should not be able to extract PHI in bulk. Use Event Monitoring to flag suspicious export activity.
• Audit AppExchange installs and integrations. Maintain a registry of every connected app with PHI access. Each one needs a BAA or must be removed from PHI-handling workflows.
• Disable Chatter for PHI-handling teams or implement strict moderation. Chatter posts and feed comments are easy places for PHI to leak unintentionally.
• Review Marketing Cloud and Pardot configurations. If they are connected to Salesforce data, ensure no PHI fields are syncing. Use field-level permissions to enforce this at the data model level.
• Configure session security and IP restrictions. Require MFA for all users, set short session timeouts, and restrict logins to known network ranges where appropriate.

Where Salesforce Fits in Your Compliance Program

Salesforce is a single vendor in your data ecosystem. The compliance program must account for everything Salesforce connects to — EHR integrations, marketing automation, analytics tools, AppExchange apps, custom integrations, and email systems. Each connection is a data flow that needs evaluation.

A BAA with Salesforce covers what Salesforce does. It does not cover what your integrations do, what your custom code does, or what your team enters into the system. The compliance program manages all of that.

Patient Protect maps your full data flow, tracks every vendor BAA, and monitors configurations across your tech stack — including Salesforce — to identify gaps before they become enforcement actions.

Frequently Asked Questions

Is Salesforce Health Cloud HIPAA compliant?

Yes — when deployed on Enterprise, Unlimited, or Performance editions with a signed BAA. Health Cloud is purpose-built for healthcare workflows and includes native data models for patients, providers, and care plans. The BAA must be explicitly contracted; it is not automatic with the Health Cloud purchase.

Is Sales Cloud HIPAA compliant?

Sales Cloud is HIPAA-eligible only on Enterprise, Unlimited, or Performance editions with a signed BAA. Sales Cloud Standard and Professional are not HIPAA-eligible and cannot be configured to be compliant. If your practice uses Sales Cloud Professional with patient data, you have a compliance exposure that requires either an edition upgrade or a migration.

Can I use Salesforce Marketing Cloud for HIPAA-covered communications?

Generally no. Salesforce does not sign BAAs for Marketing Cloud or its related products (Account Engagement, formerly Pardot). Sending appointment reminders, marketing communications, or any PHI-containing message through Marketing Cloud violates Salesforce's terms and creates regulatory exposure. Use a HIPAA-eligible communication platform with a BAA instead.

Does the Salesforce BAA cover AppExchange apps?

No. Each AppExchange app is a separate vendor with its own contract. A BAA with Salesforce does not extend to third-party apps installed from AppExchange — even if the app integrates tightly with Salesforce data. You must evaluate each app's BAA status independently.

Is Salesforce Shield required for HIPAA compliance?

Salesforce Shield is not strictly required by HIPAA, but it provides the encryption, audit logging, and field tracking capabilities that satisfy the technical safeguards of the Security Rule in a way that is significantly easier to demonstrate during an audit. For most healthcare deployments, Shield is the practical baseline.

Does signing a BAA make my Salesforce instance HIPAA compliant?

No. The BAA is a contractual prerequisite. Compliance comes from configuration, access controls, audit logging, training, and ongoing monitoring. A BAA without proper configuration is a paper shield — it documents responsibility but does not prevent breaches.

---

Patient Protect tracks your full compliance program — including CRM configurations, vendor BAAs, and data flows — starting at $39/month.