Vendor BAA Guide

Does Salesforce Sign a HIPAA Business Associate Agreement?

Q: Does standard Salesforce CRM require a BAA for healthcare?

Standard Salesforce Sales Cloud is not covered under a HIPAA BAA by default. If you store or process PHI in standard Sales Cloud, you are likely out of compliance. Healthcare organizations should use Health Cloud, which is purpose-built for HIPAA-covered use cases, and then execute a BAA with Salesforce.

Q: Is Salesforce Health Cloud HIPAA compliant?

Salesforce Health Cloud is designed for HIPAA-covered healthcare organizations and supports BAA execution. However, HIPAA compliance is a shared responsibility — you must configure Health Cloud properly, train your staff, and maintain your own HIPAA policies in addition to having a signed BAA with Salesforce.

By BAA Generator Editorial · Published Apr 19, 2026 · Last reviewed Apr 19, 2026 · 5 min read

Key Takeaways

✓ Yes — Salesforce signs a HIPAA BAA, but only for specific products
✓ Health Cloud, Marketing Cloud (with HIPAA addendum), and healthcare-configured Service Cloud are covered
✓ Standard Sales Cloud CRM is NOT covered by the Salesforce BAA by default
✓ BAA execution requires contacting your Salesforce Account Executive — it is not self-service

Direct answer: Yes — Salesforce signs a HIPAA Business Associate Agreement, but coverage is product-specific. Health Cloud is Salesforce's purpose-built HIPAA-eligible product. Standard Sales Cloud, general Marketing Cloud, and AppExchange apps each require separate BAA assessment. Always verify current terms directly with Salesforce before processing PHI.

Which Salesforce Products Are Covered Under a HIPAA BAA?

Not all Salesforce products carry the same HIPAA eligibility. The following table summarizes coverage as of 2026:

Salesforce Product	HIPAA BAA Available?	Notes
Health Cloud	Yes	Purpose-built for healthcare; BAA standard in contract
Marketing Cloud (Healthcare)	Yes (with addendum)	Requires HIPAA addendum; not default
Service Cloud (healthcare-configured)	Yes (case-by-case)	Must be evaluated and configured for healthcare
Sales Cloud (standard CRM)	No (default)	Not covered without Health Cloud layered on top
AppExchange apps	Separate evaluation required	Each ISV app needs its own BAA assessment
Tableau (Salesforce)	Varies	Contact Salesforce for current status
Slack (Salesforce)	Yes (Enterprise Grid)	Covered under Slack's own HIPAA compliance program

What Is Salesforce Health Cloud?

Salesforce Health Cloud is a patient relationship management platform built specifically for healthcare organizations — including hospitals, health systems, payers, and life sciences companies. It extends the Salesforce CRM platform with healthcare-specific data models (patient records, care plans, provider networks) and is designed from the ground up to support HIPAA compliance.

Key capabilities include patient timeline views, care team coordination, referral management, and integration with EHR systems via HL7 FHIR APIs. Because PHI flows through Health Cloud by design, Salesforce includes BAA provisions when customers purchase and configure it.

If your organization needs CRM capabilities for healthcare — managing patient relationships, outreach, or care coordination — Health Cloud is the correct Salesforce product, not standard Sales Cloud.

How to Get a HIPAA BAA from Salesforce

Salesforce's BAA process is not self-service. Unlike some vendors (Google Cloud, AWS) where you can accept a BAA online, Salesforce requires you to work through a negotiated agreement. Here is the typical process:

Step 1: Contact your Salesforce Account Executive (AE) or reach out through Salesforce's healthcare industry team.
Step 2: Identify the products you intend to use and confirm each is on Salesforce's HIPAA-eligible list.
Step 3: Salesforce will provide a BAA addendum — this is a negotiated document, not a click-through form.
Step 4: Legal review on both sides; sign the addendum as part of your Order Form or Master Subscription Agreement.
Step 5: Document the executed BAA in your HIPAA compliance records.

Because the Salesforce BAA is negotiated, larger organizations may have the ability to request modifications to standard terms. Smaller organizations will typically receive a standard BAA addendum with limited room for negotiation.

Does Standard Salesforce CRM Require a BAA?

This is a common point of confusion for healthcare organizations that already use standard Salesforce Sales Cloud and later begin handling PHI.

Standard Sales Cloud does not have a HIPAA BAA by default. If you store patient names linked to diagnoses, appointment history, or other PHI in a standard Salesforce org — without Health Cloud and a BAA in place — you are likely in violation of HIPAA's Business Associate Agreement requirements.

The critical question is: is the data you store in Salesforce actually PHI? If you store only basic contact information without any health-related linkage, a BAA may not be required. But if Salesforce holds patient names alongside any health-related information (appointment type, condition, insurance ID), a BAA is required and standard Sales Cloud is not the right product.

AppExchange Apps and Third-Party Integrations

One often-overlooked area: if you use any AppExchange marketplace apps in your Salesforce environment, each third-party application is a separate potential business associate. Salesforce's BAA covers Salesforce's own services — it does not extend to ISV (independent software vendor) apps installed from AppExchange.

For every AppExchange app that processes PHI in your org, you must independently verify whether that vendor signs a BAA and execute one with them. This is true even if the app is "built on Salesforce."

For a broader look at which vendors sign HIPAA BAAs, see our vendor BAA lookup guide.

Frequently Asked Questions

Does Salesforce sign a HIPAA BAA?

Yes — Salesforce signs a HIPAA BAA for Health Cloud, Marketing Cloud (with HIPAA addendum), and Service Cloud when configured for healthcare use cases. Standard Sales Cloud CRM is not covered under a BAA by default. Contact your Salesforce Account Executive to initiate the BAA process.

Does standard Salesforce CRM require a BAA for healthcare?

If your standard Salesforce CRM stores any protected health information — patient names linked to health-related data — a BAA is required and standard Sales Cloud is not appropriate without Health Cloud and a properly executed BAA. Evaluate your data carefully with legal counsel.

How do I get a HIPAA BAA from Salesforce?

Contact your Salesforce Account Executive. Salesforce's BAA addendum is a negotiated document executed alongside your Order Form or Master Subscription Agreement. It is not available as a self-service click-through document.

Is Salesforce Health Cloud HIPAA compliant?

Health Cloud is designed for HIPAA-covered healthcare organizations and BAA execution is standard in Health Cloud contracts. However, HIPAA compliance is a shared responsibility — you must also configure Health Cloud properly, train your staff, and maintain your organization's own HIPAA safeguards.

Note: Vendor BAA policies change. Verify current terms directly with Salesforce before making compliance decisions.

Need your side of the BAA?

Salesforce provides their BAA — but you still need to execute BAAs with all your other vendors. Generate one in minutes.

Generate BAA for Free →