health-cloud-multi-cloud-strategy

Use this skill when designing the license model, cloud topology, and org structure for a Salesforce Health Cloud implementation that involves more than one Salesforce cloud product (Experience Cloud patient portals, OmniStudio engagement flows, Marketing Cloud care campaigns, or Service Cloud case management). Trigger keywords: Health Cloud multi-cloud, patient portal licensing, Health Cloud Experience Cloud add-on, OmniStudio Health Cloud PSL, Marketing Cloud HIPAA BAA healthcare, multi-cloud healthcare org design. NOT for individual cloud configuration setup (e.g. configuring a single Health Cloud record page or a single Experience Cloud site), NOT for single-cloud Health Cloud implementations, and NOT for Health Cloud data model object definitions (see health-cloud-data-model skill).

Best use case

health-cloud-multi-cloud-strategy is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Use this skill when designing the license model, cloud topology, and org structure for a Salesforce Health Cloud implementation that involves more than one Salesforce cloud product (Experience Cloud patient portals, OmniStudio engagement flows, Marketing Cloud care campaigns, or Service Cloud case management). Trigger keywords: Health Cloud multi-cloud, patient portal licensing, Health Cloud Experience Cloud add-on, OmniStudio Health Cloud PSL, Marketing Cloud HIPAA BAA healthcare, multi-cloud healthcare org design. NOT for individual cloud configuration setup (e.g. configuring a single Health Cloud record page or a single Experience Cloud site), NOT for single-cloud Health Cloud implementations, and NOT for Health Cloud data model object definitions (see health-cloud-data-model skill).

Teams using health-cloud-multi-cloud-strategy should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/health-cloud-multi-cloud-strategy/SKILL.md --create-dirs "https://raw.githubusercontent.com/PranavNagrecha/AwesomeSalesforceSkills/main/skills/architect/health-cloud-multi-cloud-strategy/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/health-cloud-multi-cloud-strategy/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How health-cloud-multi-cloud-strategy Compares

Feature / Agenthealth-cloud-multi-cloud-strategyStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Use this skill when designing the license model, cloud topology, and org structure for a Salesforce Health Cloud implementation that involves more than one Salesforce cloud product (Experience Cloud patient portals, OmniStudio engagement flows, Marketing Cloud care campaigns, or Service Cloud case management). Trigger keywords: Health Cloud multi-cloud, patient portal licensing, Health Cloud Experience Cloud add-on, OmniStudio Health Cloud PSL, Marketing Cloud HIPAA BAA healthcare, multi-cloud healthcare org design. NOT for individual cloud configuration setup (e.g. configuring a single Health Cloud record page or a single Experience Cloud site), NOT for single-cloud Health Cloud implementations, and NOT for Health Cloud data model object definitions (see health-cloud-data-model skill).

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Health Cloud Multi-Cloud Strategy

This skill activates when an architect or practitioner needs to design the cross-cloud license model and org topology for a Salesforce Health Cloud implementation that spans multiple Salesforce products. It provides decision guidance on which clouds are bundled, which are separate add-ons, how permission sets must be assigned per persona, and what compliance obligations attach to each cloud connection.

---

## Before Starting

Gather this context before working on anything in this domain:

- **Edition confirmation:** Health Cloud requires Salesforce Enterprise edition or higher. Verify the contracted edition before making any license bundling assumptions.
- **Persona inventory:** Collect a complete list of user types — internal care team members (nurses, case managers, care coordinators), patient portal users, marketing operations staff, and system administrators. Licensing and PSL assignments differ fundamentally between internal and external (portal) users.
- **HIPAA BAA scope:** Confirm which Salesforce clouds are covered under the org's HIPAA Business Associate Agreement. A BAA covering Health Cloud does NOT automatically extend to Marketing Cloud — Marketing Cloud requires its own separate HIPAA BAA.
- **Most common wrong assumption:** Practitioners frequently assume that a Health Cloud license includes Experience Cloud for patient portals. It does not. Experience Cloud for Health Cloud is a separate paid add-on SKU.
- **OmniStudio PSL requirement:** OmniStudio is bundled within Health Cloud licenses but the capability does not activate automatically. Each user who will use OmniStudio components must be assigned both the Health Cloud permission set license AND the OmniStudio User permission set license explicitly.
- **Service Cloud is implicit:** Unlike Experience Cloud, Service Cloud case management capabilities ARE implicitly included in every Health Cloud license and do not require a separate Service Cloud add-on purchase. Do not design a separate Service Cloud license line into the quote for internal care coordinators.

---

## Core Concepts

### Health Cloud Builds on Top of CRM — Service Cloud Is Included

Health Cloud is not a standalone product. It is a managed package and permission set layer delivered on top of a standard Salesforce CRM org (Sales Cloud + Service Cloud at the same edition level). Every Health Cloud license implicitly includes Service Cloud capabilities — case management, entitlements, omni-channel routing, and the full Case object — at no additional license cost for internal users. Care coordinators use Service Cloud Cases as the backbone of care coordination without needing a separate Service Cloud license.

Consequence: Do not add Service Cloud as a separate line item in architecture or licensing documentation for internal care team users. It creates confusion and may lead procurement to purchase redundant licenses.

### Experience Cloud for Health Cloud Is a Separate Paid Add-On

Patient-facing portals and caregiver portals built on Experience Cloud are NOT included in a standard Health Cloud license. They require the **Experience Cloud for Health Cloud** add-on SKU, which provisions:
- Customer Community Plus or Partner Community licenses for external portal users
- The Health Cloud-specific Experience Cloud components (patient portal templates, CareProgramEnrollee integration, PersonAccount-based site membership)
- Per-user permission set licenses for Experience Cloud Health Cloud users

Each external portal user must be assigned the **Health Cloud for Experience Cloud** permission set license. Failure to do this is the single most common licensing error in Health Cloud implementations.

### OmniStudio Bundled But Requires Explicit PSL Assignment

OmniStudio (FlexCards, OmniScripts, Integration Procedures, DataRaptors) is packaged within Health Cloud licenses — customers do not purchase OmniStudio separately when they have Health Cloud. However, activation requires three explicit permission set assignments for each internal user who needs OmniStudio:

1. **Health Cloud** permission set license
2. **Health Cloud Platform** permission set license (provides object-level access to Health Cloud data model objects)
3. **OmniStudio User** permission set license

If any of the three is missing, OmniStudio components will be visible in the metadata but will fail silently or throw permission errors at runtime for that user.

### Marketing Cloud Health Cloud Connect and the HIPAA BAA Gap

Marketing Cloud can be connected to Health Cloud to enable care program campaign management, appointment reminders, and patient re-engagement journeys via Marketing Cloud Health Cloud Connect (the managed integration package). However:

- Marketing Cloud operates as a **separate system** with its own data store — PHI sent into Marketing Cloud is governed by the Marketing Cloud HIPAA BAA, not the Health Cloud BAA.
- A separate HIPAA BAA must be executed with Salesforce specifically for Marketing Cloud before any PHI (patient demographics, care program enrollment status, appointment data) is sent from Health Cloud into Marketing Cloud.
- Until that BAA is in place, only de-identified or non-PHI data can flow from Health Cloud to Marketing Cloud.
- Marketing Cloud Connect syncs data via the Connected App framework and requires the Marketing Cloud Connector permission set in the Health Cloud org.

---

## Common Patterns

### Three-Tier Patient Portal Architecture

**When to use:** The implementation includes patient self-service (appointment scheduling, care plan viewing, secure messaging) alongside internal care coordinator workflows.

**How it works:**
- Tier 1 — Internal: Care coordinators and clinicians use the internal Health Cloud org with Service Cloud cases as care coordination records. OmniStudio OmniScripts drive guided intake and assessment flows.
- Tier 2 — Portal: Patients access an Experience Cloud site (licensed as Experience Cloud for Health Cloud add-on). The site uses PersonAccount for patient identity and CareProgramEnrollee records to display enrolled care programs. Data is read/written through the standard Health Cloud data model — no separate integration middleware is needed.
- Tier 3 — Campaign: Marketing Cloud Health Cloud Connect syncs care program enrollment and appointment status into Marketing Cloud for automated outreach journeys, governed under a Marketing Cloud HIPAA BAA.

**Why not the alternative:** Building the patient portal as a separate Salesforce org (a "portal org") introduces bidirectional sync complexity, duplicate identity management, and doubles the compliance surface. Single-org with Experience Cloud for Health Cloud is strongly preferred unless strict data residency requirements make a separate org necessary.

### Care Coordination Hub with OmniStudio Guided Flows

**When to use:** The care team requires standardized, multi-step intake assessments (SDOH screening, medication reconciliation) that must be auditable and configurable without code deployments.

**How it works:**
- OmniStudio OmniScripts replace custom Visualforce or LWC wizard flows for guided data collection.
- DataRaptors read and write to Health Cloud data model objects (EpisodeOfCare, CarePlan, ClinicalEncounter).
- Integration Procedures call external EHR systems (Epic, Cerner) via named credentials without custom Apex.
- FlexCards surface summarized patient context on the care coordinator's record page.

All of this runs within the standard Health Cloud org under the bundled OmniStudio entitlement — no separate OmniStudio license purchase required, but each user needs all three PSLs assigned (see Core Concepts).

**Why not the alternative:** Custom LWC-based wizards require code deployments for every assessment change, cannot be managed by non-developer care program staff, and lack the built-in audit trail that OmniScripts provide through the OmniProcess execution log.

### Single-Org vs. Hub-and-Spoke for Multi-Entity Health Systems

**When to use:** The health system has multiple hospitals, clinics, or business units that may need data isolation while sharing a Salesforce contract.

**How it works:**
- **Single org:** All entities share one Salesforce org. Data visibility is controlled via Health Cloud's Care Team sharing model, Sharing Sets for Experience Cloud users, and role hierarchy. Lowest cost, simplest administration.
- **Hub-and-spoke:** Each business unit gets its own Salesforce org (spoke). A central Platform Events or MuleSoft integration layer aggregates cross-entity patient records. Used only when regulatory requirements mandate data residency separation between entities (e.g., a behavioral health subsidiary with stricter 42 CFR Part 2 obligations).

**Why not the alternative:** Hub-and-spoke dramatically increases license cost, deployment complexity, and integration maintenance. Architects should exhaust single-org isolation patterns before recommending multiple orgs.

---

## Decision Guidance

| Use Case | Cloud / License Required | Included in Health Cloud? | Notes |
|---|---|---|---|
| Internal care coordinator case management | Service Cloud (Cases, Omni-Channel) | Yes — implicit | No separate purchase needed |
| Patient self-service portal | Experience Cloud for Health Cloud (add-on SKU) | No — separate add-on | Per-external-user PSL required |
| Guided care assessment flows (OmniScripts) | OmniStudio | Yes — bundled | Requires 3 PSL assignments per user |
| Appointment reminder and re-engagement campaigns | Marketing Cloud + Health Cloud Connect | No — separate product | Requires dedicated Marketing Cloud HIPAA BAA before PHI is sent |
| EHR integration (Epic, Cerner) | MuleSoft or named credential callouts | Not included | MuleSoft licensed separately; named credential callouts use Apex callout limits |
| Analytics on care program outcomes | CRM Analytics for Health Cloud | No — separate add-on | Health Cloud includes basic report builder; full CRM Analytics requires separate license |
| Caregiver portal (family member access) | Experience Cloud for Health Cloud (same add-on) | No | Caregiver access uses PersonAccount relationship records and sharing sets |

---

## Recommended Workflow

Step-by-step instructions for an AI agent or practitioner working on this task:

1. **Inventory all personas and their cloud touchpoints.** For every user type, document whether they are internal (care team) or external (patient, caregiver, marketing ops). Map each persona to the Salesforce cloud(s) they will interact with. This drives the license model.

2. **Confirm which clouds are in scope and which are purchased.** Use the decision guidance table above to identify which clouds are bundled (Service Cloud, OmniStudio) versus which require separate purchase (Experience Cloud for Health Cloud, Marketing Cloud, CRM Analytics). Cross-reference against the customer's signed order form.

3. **Design the permission set license (PSL) assignment matrix.** For every internal user role, determine whether they need Health Cloud PSL only, or also Health Cloud Platform and OmniStudio User PSLs. For external portal users, confirm Health Cloud for Experience Cloud PSL assignment. Document this matrix as a deliverable.

4. **Assess HIPAA BAA scope.** Confirm whether the existing HIPAA BAA covers Health Cloud only, or also Marketing Cloud. If Marketing Cloud campaigns will include PHI, initiate the Marketing Cloud HIPAA BAA process with the Salesforce account team before any Health Cloud data flows into Marketing Cloud environments.

5. **Choose org topology.** Evaluate single-org (preferred) versus hub-and-spoke based on data isolation requirements, regulatory obligations per business unit, and total cost of ownership. Document the decision rationale in an Architecture Decision Record.

6. **Validate the Experience Cloud site configuration.** If a patient portal is in scope, confirm that the Experience Cloud site uses PersonAccount (not standard Contact) for member identity, that Sharing Sets are configured to give patients access to their own CareProgramEnrollee and CarePlan records, and that the Experience Cloud for Health Cloud PSL is assigned to all portal user profiles.

7. **Review the complete license model with legal and compliance.** Before finalizing architecture, walk the HIPAA BAA scope and data flow diagram with the customer's legal and compliance team. Confirm that every cloud that will touch PHI is covered under the appropriate BAA.

---

## Review Checklist

Run through these before marking work in this area complete:

- [ ] All user personas are classified as internal or external and mapped to the correct Salesforce cloud
- [ ] Experience Cloud for Health Cloud add-on SKU is on the order form if a patient portal is in scope
- [ ] OmniStudio PSL assignment includes Health Cloud + Health Cloud Platform + OmniStudio User for all OmniStudio users
- [ ] Service Cloud is NOT listed as a separate line-item license for internal care coordinator users
- [ ] Marketing Cloud HIPAA BAA status is confirmed before any PHI flow from Health Cloud to Marketing Cloud is designed
- [ ] Org topology decision (single-org vs. hub-and-spoke) is documented with rationale
- [ ] Experience Cloud site uses PersonAccount (not Contact) for patient identity
- [ ] CareProgramEnrollee and CarePlan Sharing Sets are configured for portal user record access
- [ ] Architecture Decision Record (ADR) documenting the multi-cloud topology is produced

---

## Salesforce-Specific Gotchas

Non-obvious platform behaviors that cause real production problems:

1. **Experience Cloud for Health Cloud PSL is not auto-assigned to portal profiles** — When an admin enables Experience Cloud for Health Cloud and creates the portal site, the Health Cloud for Experience Cloud permission set license is NOT automatically assigned to the portal user profile. Each portal user's profile must have this PSL explicitly assigned. Without it, Health Cloud components (Care Plan viewer, CareProgramEnrollee FlexCards) on the portal site throw "Insufficient Privileges" errors at runtime even though the site itself loads.

2. **PersonAccount is a one-way conversion in Health Cloud orgs** — Health Cloud implementations almost always require PersonAccount enabled for patient identity. Once PersonAccount is enabled in a Salesforce org, it cannot be disabled. If a customer's existing Service Cloud org has Contact records not linked to PersonAccount, a migration plan must be in place before Health Cloud is layered on. Retrofitting PersonAccount into a live org with existing Account-Contact relationships requires a full data migration and relationship remapping.

3. **OmniStudio components fail silently when Health Cloud Platform PSL is missing** — If a user has the Health Cloud PSL and the OmniStudio User PSL but is missing the Health Cloud Platform PSL, OmniScripts that read or write to Health Cloud-specific objects (EpisodeOfCare, CarePlan, ClinicalEncounter) will fail at the DataRaptor step with a generic "Record not found" or "FIELD_INTEGRITY_EXCEPTION" error rather than a clear permission error. This is the hardest PSL assignment bug to diagnose because the user can open the OmniScript UI successfully but the data operations silently fail.

4. **Marketing Cloud Health Cloud Connect requires the Connected App in both orgs** — When configuring Marketing Cloud Health Cloud Connect, the Marketing Cloud connector package must be installed in the Health Cloud org AND the corresponding Connected App credentials must be configured in Marketing Cloud's Setup. If the credentials are configured only on the Marketing Cloud side (a common partial-setup mistake), the sync appears to work but data does not flow, and the error surfaces only in Marketing Cloud's Synchronization Dashboard — not in Salesforce Setup logs.

5. **Sharing Sets for Experience Cloud portal users do not support all Health Cloud object relationships** — Sharing Sets (the mechanism that gives external portal users access to records they "own") work on direct lookup relationships from the portal user's PersonAccount. CarePlanTemplate and some ClinicalEncounter sub-objects are not reachable through Sharing Sets alone and require Apex sharing rules or OWD relaxation. Architects who design the portal access model assuming Sharing Sets cover all Health Cloud objects will discover the gaps in UAT, not design.

---

## Output Artifacts

| Artifact | Description |
|---|---|
| Multi-cloud license model | Table of all Salesforce clouds in scope, whether each is bundled or a separate SKU, and per-user license cost implications |
| PSL assignment matrix | Grid of every internal and external user persona against the permission set licenses they must receive, with rationale |
| Org topology ADR | Architecture Decision Record documenting single-org vs. hub-and-spoke decision with constraints, options considered, and chosen approach |
| HIPAA BAA scope diagram | Data flow diagram showing which clouds touch PHI and which BAAs must be in place for each flow |
| Experience Cloud site configuration checklist | Step-by-step verification list for PersonAccount enablement, Sharing Sets, and PSL assignment for the patient portal |

---

## Related Skills

- health-cloud-data-model — Use alongside this skill to understand the specific Health Cloud objects (CarePlan, EpisodeOfCare, CareProgramEnrollee) that the multi-cloud architecture must expose through the Experience Cloud portal and OmniStudio flows
- health-cloud-patient-setup — Use for individual patient record configuration once the multi-cloud org design decisions from this skill are finalized
- hipaa-compliance-architecture — Use for the full HIPAA technical safeguards architecture; this skill focuses on which clouds need BAAs, not on the full technical control set
- experience-cloud-setup — Use for the mechanics of building the Experience Cloud site once the licensing and persona decisions from this skill are documented

Related Skills

shield-event-log-retention-strategy

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when designing Salesforce Shield Event Monitoring retention, SIEM routing, and storage-tier strategy — which event types to keep, for how long, where, and how to answer audit queries across hot/warm/cold tiers. Triggers: 'shield event log retention', 'route event monitoring to splunk', 'how long to keep login history', 'siem salesforce integration', 'event monitoring storage tier'. NOT for enabling Shield (see salesforce-shield-deployment).

security-health-check

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when running, interpreting, or acting on Salesforce Security Health Check results — reading the score, understanding risk categories, evaluating specific settings, creating or importing a custom baseline, querying the Tooling API programmatically, or planning remediation from findings. Triggers: 'security health check score', 'health check failing settings', 'custom baseline', 'remediate health check findings', 'fix risk'. NOT for org hardening implementation, permission model design, or broad baseline config beyond what Health Check directly measures.

oauth-redirect-and-domain-strategy

8
from PranavNagrecha/AwesomeSalesforceSkills

Design Connected App OAuth callback URLs, My Domain naming, Enhanced Domains cutover, and cross-environment redirect handling. Trigger keywords: oauth redirect uri, connected app callback, my domain, enhanced domains, sandbox url change, oauth login host. Does NOT cover: end-user login flow UX, Experience Cloud branding, or SAML-only SSO configuration.

mfa-enforcement-strategy

8
from PranavNagrecha/AwesomeSalesforceSkills

Plan and operate Salesforce org-wide multi-factor authentication (MFA) enforcement: verification methods, phased rollout, SSO and API-only considerations, exemptions, and operational readiness. NOT for designing Login Flow post-authentication logic, IP allowlists, or conditional step-up policies—use ip-range-and-login-flow-strategy, network-security-and-trusted-ips, or transaction-security-policies instead.

ip-range-and-login-flow-strategy

8
from PranavNagrecha/AwesomeSalesforceSkills

Design and implement Salesforce Login Flows (Screen Flows assigned to profiles or Experience Cloud sites) that run post-authentication to enforce conditional MFA, IP-based branching, terms-of-service acceptance, or user data collection. Covers Login Flow creation in Flow Builder, profile/site assignment, IP-aware decision logic, and ConnectedAppPlugin extension points. NOT for static IP allowlisting or profile Login IP Ranges (see network-security-and-trusted-ips), org-wide session policies, or SSO/SAML IdP configuration.

experience-cloud-security

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when configuring access controls, sharing, or site security for authenticated or guest Experience Cloud (community) users: external OWD, Sharing Sets, Share Groups, CSP, clickjack protection, guest user record access. NOT for internal sharing model configuration (use sharing-and-visibility).

omnistudio-multi-language

8
from PranavNagrecha/AwesomeSalesforceSkills

Localize OmniScripts, FlexCards, and DataRaptors using Label-based translation, multi-language JSON, and locale-aware number/date formatting. NOT for Salesforce Translation Workbench alone.

headless-experience-cloud

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when building custom frontends (React, Vue, mobile, static sites) that consume Salesforce CMS content via the Connect REST API headless delivery endpoint. Triggers: 'headless Salesforce CMS', 'deliver CMS content to external frontend', 'React app Salesforce content API', 'custom frontend Experience Cloud data', 'CMS delivery channel API'. NOT for standard Experience Builder site development. NOT for CMS Connect (3rd-party CMS federation into Experience Builder). NOT for Experience Cloud LWC components rendered inside a site.

experience-cloud-search-customization

8
from PranavNagrecha/AwesomeSalesforceSkills

Use this skill when configuring or extending search on an Experience Cloud site — covering Search Manager scope configuration, LWR vs Aura search component selection, federated search setup, guest user search access, and custom search result components. NOT for SOSL/SOQL query development. NOT for internal Salesforce global search or Einstein Search for agents.

experience-cloud-multi-idp-sso

8
from PranavNagrecha/AwesomeSalesforceSkills

Use this skill when configuring multiple identity providers (OIDC and/or SAML) on a single Experience Cloud site or across tenant-specific portals in the same org — covering auth provider registration, Start SSO URL routing, Federation ID mapping, RegistrationHandler implementation, and simultaneous SP+IdP topology. Trigger keywords: multiple identity providers Experience Cloud, multi-tenant SSO community portal, vendor and citizen portal same site, OIDC SAML both on login page, tenant-specific login routing community. NOT for internal Salesforce employee SSO configuration. NOT for single auth provider setups — see experience-cloud-authentication for basic SSO.

experience-cloud-lwc-components

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when building custom LWC components for Experience Cloud (Experience Builder sites, LWR portals, Aura-based communities). Covers community context imports, guest user Apex access patterns, navigation API differences between LWR and Aura, and JS-meta.xml target configuration for Experience Builder exposure. NOT for internal LWC components deployed to Lightning App Builder or standard record pages (see lwc/lwc-development). NOT for Aura community components. Trigger keywords: build LWC for Experience Cloud, custom component community portal LWC, guest user LWC component, community context import salesforce, lightningCommunity target, @salesforce/community, guest Apex.

experience-cloud-authentication

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when building custom login pages, social SSO flows, self-registration flows, or passwordless OTP login for Experience Cloud (community) sites. Trigger keywords: custom login page Experience Cloud, social SSO community portal, passwordless login Experience Cloud, self-registration custom flow, headless authentication community, auth provider OIDC SAML site. NOT for internal SSO configuration (use identity/sso skills). NOT for standard username/password authentication with no customization.