Understanding HIPAA Compliance - Online Help | Zoho Campaigns

Understanding HIPAA Features in Zoho Campaigns

The Health Insurance Portability and Accountability Act, (including the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act), ("HIPAA"), requires Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals. Zoho does not collect, use, store or maintain health information protected by HIPAA for its own purposes. However, Zoho Campaigns provides certain features to help its customers use Zoho Campaigns in a HIPAA compliant manner.
 
HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com.

How to apply HIPAA features in Zoho Campaigns?

Admins in Zoho Campaigns can secure and restrict export of protected health information(PHI) by doing the following:
 
Marking fields that contain PHI: Marking fields containing PHI will help the system identify and restrict access to these fields through API and prevent the export of these field values. For example, fields that contain surgical history, symptoms, medication details, etc
NotesNote: Only Custom fields can be marked as fields with PHI. Standard fields cannot be marked
Setting restrictions for the data marked as PHI: There are two options for restricting personal health data from being accessed outside Campaigns. Any of these options can be enabled depending on the org's requirements:
  1. Restrict data access through API: Other applications can connect with Zoho Campaigns using API and data can be transferred. You can ensure that personal health data of your customers is not shared in the process, by restricting transfer of personal health data to other applications via API.
  2. Restrict data export: While exporting data from the Zoho Campaigns account you may want to withhold personal health data from being exported by checking this option. 
  3. Encrypting PHI fields: Fields that contain PHI can be encrypted for additional security. Though field encryption is not a mandatory step in Zoho Campaigns, we strongly recommend you enable encryption as it is the best practice to prevent unauthorized access to confidential data. 
NotesNote: The custom fields are not encrypted by default. You are required to encrypt it manually.

How to configure HIPAA compliance?

  1. Click Settings icon on the top-right corner of the screen.
       settings icon - top right
  2. Under General, select Compliance settings.
    Compliance settings
  3. Click HIPAA Compliance.
  4. Toggle the HIPAA compliance settings Switch on. Once you toggle this on, switches that enable restriction of personal health data appear.
    Enable HIPAA settings
  5. Toggle Restrict data export switch or Restrict data export through APIs switch on. This restricts users from sharing data.
    Enable restrict data export

How to mark a field as containing personal health data?

  1. Click Settings icon on the top-right corner of the screen.
       settings icon - top right
  2. Under Customization, select Custom Fields.
    Custom fileds
  3. Click Create Custom Field in the Accounts page.
    Create custom field
  4. Check Contains Personal health data check box, after filling out the custom field details. You can also edit an existing field and mark or unmark it as containing personal health data.

How to encrypt a field containing PHI?

  1. Click Settings icon on the top-right corner of the screen.
       settings icon - top right
  2. Under Customization, select Custom Fields.
    Custom fields
  3. Click Create Custom Field in the Accounts page.
    Create custom field
  4. Check the Encrypt Field box on, after filling out the custom field details, and click Add. You can also edit an existing field and encrypt or decrypt its data.
    Add custom fields

How to disable HIPAA compliance?

  1. Click Settings icon on the top-right corner of the screen.
       settings icon - top right
  2. Under General, select Compliance settings.
    Compliance settings
  3. Click HIPAA Compliance.
  4. Toggle the HIPAA compliance settings to disable it. Once you toggle this off, a confirmation dialog box appears.
    Disable HIPAA compliance
  5. Click Go Ahead.
    Confirmation pop up
  6. Once you disable HIPAA compliance, the restriction to export and other activities related to it gets revoked.

Retrieving the audit log

We allow you to export data as and when required using the Export Audit Log option. In Zoho Campaigns audit log is available for 6 months by default. In case you require data beyond 6 months you can reach out to support@zohocampaigns.com.