HIPAA & BAA · CRM
Is Salesforce HIPAA compliant?
Conditionally. Salesforce will sign a BAA for its HIPAA-eligible services (notably Health Cloud and Enterprise-edition Sales/Service Cloud), but not for products like Marketing Cloud or Pardot.
Key facts
- BAA available: Conditionally — on specific plans
- What it takes: BAA available for HIPAA-eligible products (notably Health Cloud, and Enterprise editions of Sales/Service Cloud); request via your account rep. Marketing Cloud, Pardot, and lower editions are not eligible.
- Official source: Salesforce Compliance — HIPAA — https://compliance.salesforce.com/en/categories/hipaa (verified 2026-06)
How to use Salesforce in a HIPAA-compliant way
- Contact your Salesforce account representative to request a Business Associate Addendum covering the HIPAA-eligible products you use.
- Use a HIPAA-eligible product/edition such as Health Cloud or an Enterprise edition of Sales/Service Cloud for PHI.
- Execute the BAA before storing or processing any PHI.
- Configure encryption at rest and in transit, least-privilege access, monitoring, and incident response.
- Keep PHI out of non-eligible products like Marketing Cloud and Pardot.
Important caveats
- Not all editions/products are HIPAA-eligible; confirm which of your specific Salesforce services the BAA covers.
- Marketing Cloud and Pardot are excluded, so marketing automation with PHI is a common pitfall.
- A documented HIPAA risk-management program and correct configuration are required beyond the BAA.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Salesforce correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Salesforce.
Frequently asked questions
Does Salesforce sign a BAA?
On specific plans. BAA available for HIPAA-eligible products (notably Health Cloud, and Enterprise editions of Sales/Service Cloud); request via your account rep. Marketing Cloud, Pardot, and lower editions are not eligible. A signed BAA is required before any PHI is involved.
Is Salesforce HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Salesforce offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Salesforce with PHI?
Not all editions/products are HIPAA-eligible; confirm which of your specific Salesforce services the BAA covers.
