The Health Insurance Portability and Accountability Act (including the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act) (" HIPAA "), requires Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals.

Zoho Creator does not collect, use, store or maintain health information protected by HIPAA for its own purposes. However, Zoho Creator provides features to help its customers use their Zoho Creator applications in a HIPAA compliant manner.

HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to  legal@zohocorp.com .

HIPAA Compliance in Zoho Creator

The medical industry has grown enormously in the past few years. Preserving Electronic Health records and ensuring the protection of individual's health and personal information have become inevitable.

Zoho Creator provides various safeguards and controls in the platform that customers can utilise to build their HIPAA complaint applications. The following section highlights a few aspects of how Zoho Creator application owners/admins can achieve this:

• Labelling a field as ePHI : You can mark a field as ePHI if it stores health information that identifies an individual or reasonably can identify an individual.
  

  To label a field as ePHI:

  1. Open the form builder.
  2. Select the required field. Its  Field Properties  will appear on the right.
  3. Navigate to the  Field Properties > Data Security  section. Check the checkbox next to  Contains health info (ePHI) .
     
     
• Encrypting the data of ePHI fields : Encryption is a method of adding a layer of security to data, to prevent it from being stolen. It is the process of encoding information to make it accessible only by authorized parties. You can encrypt your fields which store health information. Refer this article here to learn more about encrypting fields in Zoho Creator.
• Administering Roles and Permissions : Zoho Creator lets you completely customize the access to your application and data.
  

  The Owner or Admin of the app can:

  • Add and manage users
  • Configure permission sets  (Module level, Record level, Feature level, and Field level)
  • Create Roles and Roles hierarchy
  • Define Data Sharing Rules
  • Apply Domain Restriction
• Audit trails and exporting them : The Audit trail feature in Zoho Creator is a means to assist an organization by maintaining logs on the sequence of activities performed inside an application and captures:
  
  • History of changes made to your records
  • History of print and export actions carried out in a report

  Currently, the Audit Logs for record changes are maintained for a year, and are maintained for three months for Export/Print actions performed in the application. These Audit trails can be exported as csv files by clicking the  Export  button in the respective tabs of the Audit Trail console. However, it is the responsibility of the Covered Entity to protect and retain the exported copy of the Audit Trail as per HIPAA requirements.

• Backup application and restore data: The Backup and Restore feature enables you to back up the applications in your account with data and restore them whenever required. You can also schedule your backups by configuring the frequency of backups and the start date in Zoho Creator.
  

• Third-party integrations: Zoho Creator supports integrations with various third-party services through secure connections. All data transmitted through these connections is encrypted in transit and the integrations are managed in adherence to HIPAA guidelines. This ensures that all ePHI exchanged between Zoho Creator and external services are protected during interactions.
  
  However, it’s important to note that HIPAA compliance within Zoho Creator applies only to the data handled within the platform. Once the ePHI data is transmitted to an external service, the responsibility for safeguarding that data lies with the receiving service and not Zoho Creator. We strongly encourage customers to verify that any third-party services they choose to integrate with are also HIPAA compliant.