1. In a nutshell

Zoho Bookings protects sensitive health information of your customers that can identify an individual in a HIPAA compliant manner. 

2. Feature availability

• Available for premium plan.
• Roles

• Super admins and admins can enable/disable HIPAA Support. 
• Workspace admins can mark booking form fields as ePHI/PII after the HIPAA Support feature is enabled by admins.
• Managers and staff can view the marked booking form fields. 

3. HIPAA support in Zoho Bookings

The Health Insurance Portability and Accountability Act (including the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act) ("HIPAA"), requires  Covered Entities and Business Associates  to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals. Zoho does not collect, use, store or maintain health information protected by HIPAA for its own purposes. However, Zoho Bookings provides certain features (as described below) to help its customers use Zoho Bookings in a HIPAA compliant manner.   

HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com.

Zoho Bookings has provisions to protect ePHI. When collecting customer information (ePHI/PII), registration form fields can be set up for secure handling.

You can perform the following with respect to HIPAA compliance inside Zoho Bookings:

• Enabling HIPAA
• Encrypting ePHI/PII
• Disabling HIPAA

3.1 Encryption & Auditing

The data captured in registration form fields marked as ePHI/PII is

• Encrypted at rest 
• Not shared outside Zoho Bookings (not even to other Zoho apps)
• Masked while displayed anywhere inside the app
• Audited continuously and monitored for activity
  
  

Data audits help you secure your customers' data and monitor for unexpected changes or usage trends. Zoho Bookings will record the audit logs ( information about every addition, update, and deletion made to customer database records) in the backend for a duration of up to one year. The audit log can be shared with you only upon request.

Drop an email to support@zohobookings.com, if you'd like to access audit logs.

Note: HIPAA support can only be invoked on guest user fields and on SingleLine, CheckBox, DropDown, Email, RadioButton, and Date custom field types. HIPAA support cannot be invoked on default fields (Name, Email, and Contact Number) and on custom MultiLine field types, as of now.

4. Steps to implement HIPAA

4.1 Enable HIPAA

1. Click the Admin Center icon  in the top-right corner of the Bookings menu bar. 
2. Select Privacy and Security under Data Administration.
   
3. Enable the toggle HIPAA Support. Once HIPAA Support is enabled, you can mark your booking form fields as ePHI/PII. This will secure those input fields by encrypting. 
   

4.2 Mark form fields ePHI/PII

You can facilitate encryption and decryption on sensitive data for both new or existing custom form fields by marking them as ePHI/PII.

1. Navigate to Event Types, select the required event type, and click Booking Form. 
2. Hover over the required field (Blood Pressure, in this case) and click the edit icon.
3. Select the checkbox Mark as ePHI/PII to denote that the field (Blood Pressure, in this case) would contain sensitive information and click Save.
   
   
   

4.2.1 Encrypting multiple fields

HIPAA support can be invoked on more than one field. However, when you try to mark more than one field as ePHI/PII, you might receive an error message like the below.

This is because once a registration form field is marked as ePHI/PII, it takes some time in the backend to set it up. If another field is marked as ePHI/PII simultaneously while the setup for the first field is in progress, it might disrupt the setting altogether. To avoid this, it is advised to try marking the other field as ePHI/PII at a little while later.

5. Disabling HIPAA support

1. Click the Admin center icon  in the top-right corner of the Bookings menu bar. 
2. Select Privacy and Security under Data Administration.
3. Set the HIPAA Support toggle to Disabled.
   A delete confirmation will appear to notify you that the registration form fields will not be treated as sensitive. You will also not be able to mark them as ePHI/PII going forward.
   
   
4. Click Yes to proceed.
   
   Existing registration form fields will no longer be marked as ePHI/PII. They also do not have the option to be marked as ePHI/PII.
   

6. Related links

• Booking Form