Our security audit team is concerned about any PHI data being used in our Salesforce instance. Client data such as name and email address are considered protected health information (PHI) under HIPAA, so we'd have some additional legal compliance steps to take if I can't set them up in a way that ensures separation from PHI.
Our health cloud instance uses person accounts. The name of the individual leverages the Account Name field, which cannot be blocked or hidden from users. We are finding that many of the standard salesforce fields that are required on page layouts hold PHI data and cannot be hidden.
My solution to this was to create an encrypted custom field that would give me the ability to hide the PHI data and then leverage the standard field with an Auto number (or something of that nature).
Is there a way to create a user role, profile, permission set, or sharing setting that allows users to do some work in our system while not exposing them to individual data?
How have others set up PHI-compliant systems?
Looking for advice.
Not sure if you had come across the concept of "breaking the glass" in regards to HIPAA in your research, but this can be instituted in a multitude of ways via LWC or Aura in order to provide a barrier to entry of sensitive information.
