HIPAA Compliance with Zoho Commerce

HIPAA Compliance with Zoho Commerce

The Health Insurance Portability and Accountability Act (including the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act) ("HIPAA"), requires Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals. Zoho does not collect, use, store or maintain health information protected by HIPAA for its own purposes. 

 

Zoho Commerce provides features (as described below ) to help its customers use Zoho Commerce in a HIPAA compliant manner.

 

HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com.

 

Member Portal & Access Restriction

Zoho Commerce provides role-based access to the features available. The member portal contains an access control list, where the store owner can restrict the website's access to employees/visitors. This allows the store owner to have complete authority over user's access permissions. Not all users can view or access the administrator's functions.

 

SSL Certificate

With Zoho Commerce, business owners can install their own SSL Certificates or purchase one from 'let's encrypt' for free. SSL protocol provides encryption, authenticity, and integrity for stores created through Zoho Commerce. More details available on this help link.

 

Audit Trail

The Audit page allows users to review the builder activities that have been recorded. Logs are available for up to 6 months. Logs can be exported as csv files. All write operations involving ePHI and sensitive read operations like export will be available in the Zoho Commerce Audit Trail. We will provide audit log to user based on request. Users can request by sending mail to Zoho Commerce Support Team.

 

Forms

Zoho Commerce's forms can be used to collect ePHI data. The form fields can be marked as sensitive while collecting ePHI data(link). Field encryption option can be applied for ePHI data collected. While exporting the form data, ePHI data can be withheld. Form data is not stored by Zoho Commerce. The Zoho Forms service is integrated with Zoho Commerce.

 

Custom Fields

Zoho Commerce can be used to create a custom field and mark it as ePHI (Electronic Protected Health Information), if the information is used to identify a patient. For example, an electronic copy of medical report is ePHI. Only fields such as Text, Email, URL, Phone, and Date can be marked as ePHI. The data will be considered sensitive; it will also be encrypted and stored. Only users with access to protected data can access the fields. These fields and Sales Orders are integrated via Zoho Inventory service.