Skip to main content
Gainsight Inc.

Gainsight [SFDC] Workflow and Configuration Guidelines for Maintaining HIPAA Privacy and Security

Overview

For Gainsight customers that may process electronic Protected Health Information (ePHI) or encounter incidental ePHI in the course of their business, we strongly recommend implementation of the following Workflows and Configurations within the Gainsight Platform to adhere to HIPAA privacy and security requirements. 

If you have any questions regarding these Guidelines, please contact your Engagement Manager or Client Outcomes Manager. 

Last Updated: September 1, 2020

Workflow & Configuration Guidance for SFDC Features

Features Workflow & Configuration Guidance 
Gainsight User Authentication
  • Strongly recommend that customers require two factor authentication. Customers can implement two factor authentication for user logins by leveraging Gainsight’s SAML Single Sign On integration with the customer’s existing directory, so long as the customer’s existing directory enforces two factor authentication.  

CS Timeline Entries: 

  • Please limit ePHI entered into Timeline to the minimum necessary to complete the task. We recommend that customers incorporate this standard into internal user training and process documentation. 

  • Recommend that unnecessary ePHI stored in Timeline (text or attachment) be removed by the customer when it is identified. Best practice for removing is to request that the user remove the ePHI from the entry or request that Gainsight Support deletes the entry. 

Gainsight Data Management (GDM) 
  • Please limit ePHI transmitted as part of a data set to Gainsight to the minimum necessary to complete the task.

  • We recommend limiting access to datasets containing ePHI to your Gainsight Administrator using the Admin user provisions.

  • We recommend that you do not make data points containing ePHI visible in your C360 or other end user-facing features. 

  • We recommend that all data be encrypted in transit and at rest and that additional encryption be utilized on your S3 bucket.  

CS Journey Orchestrator
  • We do not recommend that Journey Orchestrator (JO) be utilized for direct to patient communications that may contain ePHI.  

  • If you have a use case for including ePHI in JO communications or plan to make direct to patient communications through JO, please reach out to your Client Outcomes Manager to discuss. 

CS Surveys 2.0
  • We recommend that you do not collect ePHI using a Gainsight Survey. Gainsight’s Surveys are not intended for patient surveys. 

  • If you have a use case for using Surveys to collect ePHI, please reach out to your Client Outcomes Manager to discuss. 

  • We recommend that incidental ePHI within Surveys be removed by the customer when it is identified. The best practice is for your Gainsight Administrator to delete the survey response.  

CS Success Plans
  • Please limit ePHI entered into the Success Plan by internal or external users to the minimum necessary to complete the task. Recommend that customers incorporate this standard into internal user training and process documentation. 

  • Recommend that incidental ePHI stored in Success Plans be removed by the customer when it is identified. Best practice for removing is to have the internal user remove the ePHI from the Success Plan or request that Gainsight delete the Success Plan. 

  • If you are concerned about incidental ePHI from being added by external end users in Success Plans, you may choose to not enable collaboration features (which allows your customers to collaborate with you) within Success Plans.