Is Salesforce HIPAA Compliant? What Medical Practices Need to Know

The Short Answer

Salesforce can be HIPAA compliant, but the conditions are specific. You need Professional, Enterprise, or Unlimited edition of Sales Cloud or Service Cloud, and you need to explicitly request a signed Business Associate Addendum from Salesforce. Upgrading your plan does not automatically create compliance — the BAA is a separate step.

Salesforce Essentials does not qualify for a BAA at any price. If your practice is on Essentials and has patient data in the system, that is a compliance issue regardless of how little data is involved.

Which Salesforce Products Support HIPAA

Not all Salesforce products are treated equally under HIPAA.

Sales Cloud and Service Cloud can be covered by a BAA on Professional, Enterprise, and Unlimited editions. These are the standard CRM tiers most practices know. The BAA covers the core platform: contact records, cases, tasks, and the data stored within your Salesforce org.

Salesforce Health Cloud is purpose-built for healthcare. It includes HIPAA controls, patient timeline views, care coordination tools, and provider relationship management. A BAA is available. The starting price is approximately $300/user/month — a 5-provider practice with admin access is looking at $18,000 or more per year before any additional licenses.

Marketing Cloud is not automatically covered. Salesforce offers HIPAA-compliant configurations for Marketing Cloud through separate agreements, but standard Marketing Cloud accounts with patient contact information are not compliant. If your practice sends appointment reminders or health communications through Marketing Cloud, this needs separate review.

AppExchange apps are not covered by your Salesforce BAA. Each app installed in your org is a separate vendor. If an app processes, stores, or transmits PHI, you need to evaluate and potentially sign a BAA with that app’s vendor independently.

The BAA Process

Salesforce does not automatically present a BAA at signup. You need to request one. The process typically involves contacting your Salesforce account executive or customer success manager, or going through Salesforce’s HIPAA compliance documentation portal.

Once in place, the BAA specifies which products and features are covered, what Salesforce’s obligations are for safeguarding PHI, and what your practice’s obligations are on your end — including things like access controls, user authentication, and data retention policies.

A signed BAA does not mean your Salesforce configuration is automatically compliant. It means Salesforce has agreed to its obligations as a business associate. You still need to configure your org appropriately: field-level security on sensitive data, audit trail logging, session settings, and user access controls.

What a Salesforce BAA Does Not Cover

The BAA covers your core Salesforce org. It does not extend to adjacent systems or workflows that touch your Salesforce data.

If a staff member exports a contact list from Salesforce into an Excel file and sends it via personal email, that PHI is now outside the BAA’s scope. If you’re using a third-party app from AppExchange to manage patient intake forms and that vendor hasn’t signed a BAA with you, that data path is not covered.

Marketing Cloud, Pardot, and other Salesforce products outside Sales/Service Cloud require their own compliance evaluation. The marketing team that added patient emails to a nurture campaign may not have known those emails needed to stay out of standard Marketing Cloud.

Task management is another gap. Salesforce cases and tasks can be used to track follow-up work, but Salesforce is not a HIPAA-compliant task management product in the sense that a clinical practice needs. The BAA covers what’s in your CRM; it says nothing about a task list in Asana or a staff checklist in Notion that references patient names.

What Small Practices Actually Need

Most small practices that search “is Salesforce HIPAA compliant” are not running Salesforce already. They’re evaluating whether Salesforce could handle their patient relationship or referral tracking needs in a compliant way.

The honest answer: Salesforce at the qualifying tiers is expensive for a small practice, and the compliance configuration requires ongoing attention. Professional edition starts at approximately $75-80/user/month for basic CRM, before any HIPAA configuration work or third-party implementation support.

Salesforce Health Cloud at $300/user/month is a clinical-grade product that makes sense for mid-size health systems, but it is priced well above what a 5-physician independent practice can justify.

What small practices typically need is two separate tools: a CRM for managing referral pipelines and patient relationships (which may or may not be Salesforce), and a HIPAA-compliant task management tool for the operational work that runs between their EHR and their CRM. That second layer is where PHIGuard fits. We built it because practices kept running into the same gap: their CRM was covered or scoped out of PHI, but the administrative and compliance tasks that don’t fit in the EHR had nowhere to go. PHIGuard starts at $20/month flat for up to 10 staff with a BAA at every tier.

Like what you're reading?

Try PHIGuard free — no credit card required.

Business Associate Addendum (BAA): A HIPAA-required contract between a covered entity and a vendor who handles protected health information. Without a signed BAA, using Salesforce with any PHI is a HIPAA violation.

Salesforce Health Cloud: A purpose-built Salesforce product for healthcare organizations with HIPAA controls built in. Starts at approximately $300/user/month — significantly more expensive than standard Sales Cloud.

Q&A

Is Salesforce HIPAA compliant?

Salesforce is HIPAA compliant only on Professional, Enterprise, or Unlimited editions of Sales Cloud and Service Cloud, and only after a signed Business Associate Addendum is in place. Salesforce Essentials is not eligible. Salesforce Health Cloud includes HIPAA controls natively but starts at approximately $300/user/month.

Q&A

What Salesforce plan do I need for HIPAA?

You need Professional, Enterprise, or Unlimited edition of Sales Cloud or Service Cloud, plus a signed BAA obtained directly from Salesforce. Upgrading your plan without signing a BAA leaves you out of compliance. Salesforce Essentials has no BAA option and cannot be used with PHI.

Q&A

What does Salesforce not cover for HIPAA?

A Salesforce BAA covers the CRM platform itself — contact records, cases, and the data stored in your org. It does not cover AppExchange apps (each requires its own BAA evaluation), Marketing Cloud without a separate agreement, or the operational task management and compliance documentation that practices need alongside their CRM.

Want to learn more?

See How We Compare

Is Salesforce HIPAA compliant?

Salesforce can be HIPAA compliant on Professional, Enterprise, and Unlimited editions of Sales Cloud and Service Cloud — but only after you explicitly request and sign a Business Associate Addendum (BAA) with Salesforce. Standard configuration without a BAA is not HIPAA compliant, and Salesforce Essentials is not eligible for a BAA at any price.

Which Salesforce plans support HIPAA?

HIPAA compliance is supported on Professional, Enterprise, and Unlimited editions of Sales Cloud and Service Cloud, with a signed BAA. Salesforce Essentials does not qualify. Salesforce Health Cloud is purpose-built for healthcare and includes HIPAA controls, but starts at approximately $300/user/month.

Do I need a BAA with Salesforce?

Yes. A Business Associate Addendum is required by HIPAA any time a vendor handles protected health information on your behalf. Without a signed BAA, using Salesforce to store or process any patient data — names paired with health conditions, appointment records, treatment notes — is a HIPAA violation regardless of which plan you are on.

What is Salesforce Health Cloud?

Salesforce Health Cloud is a purpose-built Salesforce product designed for healthcare organizations. It includes HIPAA controls, care coordination features, and patient data management capabilities. It is available with a BAA. The starting price is approximately $300/user/month, which puts it well out of range for most small and independent practices.

Does Salesforce replace a HIPAA-compliant task management tool?

No. Salesforce is a CRM platform — it manages contacts, opportunities, and patient or referral pipelines. It does not handle the operational task management that runs inside a clinical practice: staff task assignments, compliance checklists, follow-up tracking tied to patient cases. PHIGuard handles task management and compliance documentation at $20/month flat for up to 10 staff, with a BAA included at every tier.

Keep reading

Best Asana HIPAA Alternative for Medical Practices

Looking for an Asana alternative that handles HIPAA without degrading features? PHIGuard is built for small clinics — $20/mo flat, BAA included, audit-ready from day one.

Best HIPAA Compliance Software for Small Medical Practices (2026)

We compared the top HIPAA compliance tools for small practices. These are the ones that deliver real value — and the ones that are overpriced for what small clinics actually need.

What Is a Business Associate Agreement (BAA)? HIPAA Explained

A Business Associate Agreement (BAA) is a HIPAA-required contract between your medical practice and any vendor handling patient data. Without one, you're exposed.

Is HubSpot HIPAA Compliant? What Medical Practices Need to Know

HubSpot is HIPAA compliant only through its Healthcare Hub on Enterprise contracts. Standard HubSpot tiers — including Starter and Professional — cannot store PHI. Here's what that means for your practice.