FAQs on HIPAA

FAQs: HIPAA Compliance

How does Zoho CRM help organizations be HIPAA Complaint?

At Zoho CRM, we allow organizations to be compliant with the HIPAA guidelines by providing the following options:
 
  1. Select modules that contain personal health data: All modules that contain protected health information must be selected. Both standard and custom modules can be selected. A total of 10 modules can be selected.
  2. Mark fields as containing personal health information: In a module, there may be only a few fields that contain personal health details of a customer. For example, surgical history, symptoms, medication details, etc. Marking these fields as personal health details will help the system identify and restrict access to these fields through API and prevent the export of these field values. A total of 25 fields in each module can be marked as personal health data containing fields.
    Note: Lookup, multi-select lookup, and autonumber fields cannot be marked as personal health data.
  3. Set restrictions for the data marked as PHI: There are four options for restricting personal data from being accessed outside Zoho CRM. Any of these options can be enabled depending on the org's requirements:
    1. Restrict data access through API: Other applications can connect with CRM using API and data can be transferred. You can ensure that personal health data of your customers is not shared in the process, by restricting transfer of personal health data to other applications via API.
    2. Restrict data export: While exporting data from the CRM account you may want to withhold personal health information from being exported by checking this option.
    3. Restrict data transfer to Zoho apps: If the CRM account is integrated with other Zoho applications like Desk, Campaigns, Projects etc. the data will flow from CRM to these applications. This option will prevent personal health data from being transferred to other apps. To check the data flow restrictions refer to the table.
    4. Restrict data transfer to third party apps: If your CRM account is integrated with third party applications for business related reasons there will be chances of data flow from CRM to these apps. This option will prevent personal health data from being transferred to other apps. To check the data flow restrictions, refer to the table.
  4. Encrypt PHI fields: Fields that contain personal health information can be encrypted for additional security. Though field encryption is not a mandatory step in Zoho CRM, we strongly recommend you enable encryption as it is the best practice to prevent unauthorized access to confidential data.
Read more to configure encryption and understand its limitations. Also, refer to the Zoho Encryption whitepaper to understand the encryption process and key management in detail.

Where do I find the option to mark fields as personal health information?

In a module, there may be only a few fields that contain personal health details of a customer. For example, surgical history, symptoms, medication details, etc. Marking these fields as personal health details will help the system identify and restrict access to these fields through API and prevent the export of these field values. A total of 25 fields in each module can be marked as personal health data containing fields.
Note: Lookup, multi-select lookup, and autonumber fields cannot be marked as personal health data.
To mark fields that contain personal health data
  1. Go to Setup > Customization > Modules and Fields.
  2. Select a module and click the More icon to select the desired layout.
    Alternately, you can click the More icon and select Edit Layout.
  3. Go to the desired field and click the More icon.
  4. Click Edit Properties and check the Contains Personal Health Data box.
    Remember that this option will only appear if the module has been selected for HIPAA compliance.

Where can I see the personal health data records in CRM?

All the fields that are marked as containing personal health data will be listed in the record detail page. Under Data Privacy, in the Personal Data section, you can click the Health tab to view the fields that have personal health data.



Does Zoho provide audit log as part of HIPAA compliance?

As a covered entity it is your responsibility and best practice to export logs periodically and preserve them for the required period. To facilitate this we allow you to export data as and when required using the  Export Audit Log option. In Zoho CRM audit log is available for 60 days by default.

Watch this video on how to export audit log:


To export audit log entries
  1. Log in to Zoho CRM with Administrator privilege.
  2. Go to Setup > Data Administration > Audit Log.
  3. In the Audit Log page, click Export Audit Log.
    The entries will be exported in a .csv format.
In case you require data beyond 60 days you can reach out to support@zohocrm.com

How do I configure HIPAA Compliance in my CRM account?

With more healthcare organizations using CRM to run their business smoothly and store customer information in a shared database, it is crucial that they can ensure the confidentiality of an individual's health information. In Zoho CRM, we provide ways for healthcare organizations to secure and restrict export of individuals' health information and stay compliant with the HIPAA guidelines. 

To configure HIPAA compliance
  1. Go to Setup > Users and Controls > Compliance Settings.
  2. Click the HIPAA Compliance tab.
  3. Toggle the Enable HIPAA Compliance Settings button.
    Select the modules from the dropdown list. You can select up to 10 modules.
  4. In Personal Health Data Handling, toggle Restrict Data access through API, Restrict Data in Export, or both, as required.

To mark fields that contain personal health data
  1. Go to Setup > Customization > Modules and Fields.
  2. Select a module and click the More icon to select the desired layout.
    Alternatively, you can click the More icon and select Edit Layout.
  3. Go to the desired field and click the More icon.
  4. Click Edit Properties and check the Contains Personal Health Data box.
    Remember that this option will only appear if the module has been selected for HIPAA compliance.



Where can I get the Business Associate Agreement template?

HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com.

What kind of encryption is added to the PHI fields?

Fields that contain personal health information of individuals can be encrypted to prevent unauthorized access. Once encrypted, the fields are added with EAR.

Encryption at Rest
Refers to data that is encrypted when it is stored (not moving) — either on a disc, in a database, or some other form of media. In addition to encryption of data during transit, encryption of data when it is stored in the servers provides an even higher level of security. EAR protects against any possible data leak due to server compromise or unauthorized access.

Encryption is done at the application layer using the AES-256 algorithm , which is a symmetric encryption algorithm that uses 128-bit blocks and 256-bit keys. The key used to convert the data from plain text to cipher text is called Data Encryption Key   (DEK). The DEK is further encrypted using the KEK (Key Encryption Key), thus, providing yet another layer of security. The keys are generated and maintained by our in-house Key Management Service (KMS). Read more

Limitations and Trade-offs applied to the encrypted fields:
  1. The encrypted fields undergo certain limitations.
  2. Only full-text search is supported in global search. For instance, if the encrypted data is "Joseph Wells," the encrypted field record does not show in the results of a search for "Joseph."
  3. Encrypted fields cannot be used in Advanced Filters
  4. Encrypted fields cannot be found using Search by Criteria
  5. Encrypted fields are not visible in the Sort option.
  6. Encrypted information is only stored in the crm.zoho.com domain. Use the encrypted information in other domains or third-party services at your own discretion.
  7. In the Forecasts module, encrypted fields cannot be used as Target Fields.
Note that field encryption is a separate entity and not part of HIPAA Compliance. PHI fields can be encrypted even without marking them as containing PHI (mandatory for HIPAA compliance).
To help organizations be compliant with HIPAA regulations, Zoho CRM allows them to mark fields as containing personal health information. By doing so , they can restrict export of individuals' health information to third-party apps via integration or through API. Read more about HIPAA Compliance here.

What kind of restrictions can be set for the PHI fields under HIPAA Compliance?

A total of 25 fields in each module can be marked as personal health data containing fields. Once marked, there are certain restrictions that can be set to prevent unauthorized access to the sensitive values present in the fields.

Note
Lookup, multi-select lookup, and autonumber fields cannot be marked as personal health data.
The following restrictions can be set on the PHI fields:
  • Restrict data access through API: Other applications can connect with CRM using API, and data can be transferred. You can ensure that personal health data of your customers is not shared in the process, by restricting transfer of personal health data to other applications via API.
  • Restrict data export: While exporting data from the CRM account, you may want to withhold personal health information from being exported by checking this option.
  • Restrict data transfer to Zoho apps: If the CRM account is integrated with other Zoho applications like Desk, Campaigns, and Projects, the data will flow from CRM to these applications. This option will prevent personal health data from being transferred to other apps. 
The following table will provide you with the details of the various integrations and the implications when personal data is restricted. There are certain fields that are mandatory for integration, such as Email for the Zoho Project integration. If you mark email as a personal field, the data will not be sent from CRM to Projects. 

Integrations with Zoho Apps


Integrations with Zoho Apps
Fields mandatory for the integration
What happens when personal health data is restricted?
Zoho Desk
Last Name and Email
Data will not be pushed from Zoho CRM.
Zoho Projects
Email
Client user will not be added through project creation or association.
Zoho Finance Suite
Last Name and Email
Data will not be pushed from Zoho CRM.
Zoho Campaigns
Email
Data will not be pushed from Zoho CRM.
Zoho Recruit
Email
Data will not be pushed from Zoho CRM.
Zoho Cliq
NA
Details other than those from the personal fields will be shared via Zoho Cliq.
Zoho Analytics
NA
If one of the previously synced field is restricted, then reports based on those fields will be deleted.
Zoho Writer
NA
NA
Zoho Motivator
NA
NA
Zoho Creator
NA
NA
Zoho Mail
NA
NA
Zoho Calendar
NA
NA
Zoho Social
NA
NA
Zoho Sales IQ
NA
NA
Zoho Survey
NA
NA
  • Restrict data transfer to third party appsIf your CRM account is integrated with third-party applications for business related reasons, there will be chances of data flow from CRM to these apps. This option will prevent personal health data from being transferred to other apps.
Integrations with Third-party Apps
Integrations with Other Apps
Fields mandatory for the integration
What happens when personal health data is restricted?
Microsoft Office 365
First Name
As First Name cannot be marked as a personal field, the integration will work as usual.
Microsoft Outlook
First Name
As First Name cannot be marked as a personal field, the integration will work as usual.
Google Contacts
First Name
As First Name cannot be marked as a personal field, the integration will work as usual.
Slack
NA
Details other than those from the personal fields will be shared via Slack.
Android or iOS Speech Recognizer (Zia Voice)
NA
Only call to Zia action will be disabled; the chat with Zia option will work as usual.
To set restrictions on PHI fields
  1. Go to Setup Users and Controls > Compliance Settings.
  2. Click the HIPAA Compliance tab.
  3. Toggle the Enable HIPAA Compliance Settings button.
  4. Select the modules from the dropdown list.
  5. You can select up to 10 modules.
  6. In Personal Health Data Handling, toggle Restrict Data access through APIRestrict Data in Export, or both, as required.


How does Zoho manage personal health information fields to comply with HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA), which includes the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act), requires Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals.

Important
Zoho does not collect, use, store, or maintain health information protected by HIPAA for its own purposes.

Note
HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com.

Zoho CRM provides features to help its customers use CRM within the premises of HIPAA compliance. To allow health organizations to comply with HIPAA we allow admins to mark the fields that contain personal health information of individuals so that certain restrictions can be put into place to prevent unauthorized access to those sensitive details. For example, patient ID, surgical details, and ailments are an individual's personal health information, which should not be available to outsiders.

To mark fields that contain personal health data
  1. Go to Setup > Customization > Modules and Fields.
  2. Select a module and click the More icon to select the desired layout.
    Alternately, you can click the More icon and select Edit Layout.
  3. Go to the desired field and click the More icon.
  4. Click Edit Properties and check the Contains Personal Health Data box.
  5. Remember that this option will only appear if the module has been selected for HIPAA compliance.
     
Once marked, there are certain restrictions which can be set to prevent unauthorized access to the sensitive values present in the fields.
  1. Restrict data access through API: Other applications can connect with CRM using API and data can be transferred. You can ensure that personal health data of your customers is not shared in the process, by restricting transfer of personal health data to other applications via API.
  2. Restrict data export: While exporting data from the CRM account, you may want to withhold personal health information from being exported by checking this option.
  3. Restrict data transfer to Zoho apps: If the CRM account is integrated with other Zoho applications like Desk, Campaigns, and Projects, the data will flow from the CRM to these applications. This option will prevent personal health data from being transferred to other apps. To check the data flow restrictions, refer to the table.
  4. Restrict data transfer to third party apps: If your CRM account is integrated with third-party applications for business-related reasons, there will be chances of data flow from CRM to these apps. This option will prevent personal health data from being transferred to other apps. To check the data flow restrictions, refer to the table
To set restrictions on PHI fields
  1. Go to Setup > Users and Controls > Compliance Settings.
  2. Click the HIPAA Compliance tab.
  3. Toggle the Enable HIPAA Compliance Settings button.
    Select the modules from the dropdown list. You can select up to 10 modules.
  4. In Personal Health Data Handling, toggle Restrict Data access through API, Restrict Data in Export, or both, as required.


Does marking a field as PHI (Personal Health Information) automatically encrypt it?

No, marking a field as PHI only enables the system to identify that the values present in it contain personal health information of an individual.
As an additional layer of security, these fields can be encrypted separately. While this isn't mandatory, as a best practice, it's essential to encrypt. Find out more about field encryption.

The encrypted fields are added with Encryption at Rest (EAR) Read more about encryption in Zoho's Encryption Whitepaper. 

To encrypt/decrypt PHI fields
  1. Go to Setup > Customization > Modules and Fields > [Select the module] .
  2. In the module layout editor, go to the field you wish to encrypt, click the Settings icon and select Edit Properties.

  3. In the Field Properties popup, select the Encrypt Field checkbox.

  4. Click Done.
  5. Save the layout.

    Zoho CRM Training Programs

    Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.

    Zoho CRM Training
      Redefine the way you work
      with Zoho Workplace

        Zoho DataPrep Personalized Demo

        If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.

        Zoho CRM Training

          Create, share, and deliver

          beautiful slides from anywhere.

          Get Started Now


            Zoho Sign now offers specialized one-on-one training for both administrators and developers.

            BOOK A SESSION





                        Still can't find what you're looking for?

                        Write to us:  support@zohoforms.com


                              



                            



                          Manage your brands on social media

                              Zoho Marketing Automation

                                Zoho Sheet Resources

                                 




                                    Zoho Forms Resources


                                      Secure your business
                                      communication with Zoho Mail


                                      Mail on the move with
                                      Zoho Mail mobile application

                                        Stay on top of your schedule
                                        at all times


                                        Carry your calendar with you
                                        Anytime, anywhere




                                              Zoho Sign Resources

                                                Sign, Paperless!

                                                Sign and send business documents on the go!

                                                Get Started Now




                                                        Zoho TeamInbox Resources



                                                                Zoho DataPrep Resources



                                                                  Zoho DataPrep Demo

                                                                  Get a personalized demo or POC

                                                                  REGISTER NOW


                                                                    Design. Discuss. Deliver.

                                                                    Create visually engaging stories with Zoho Show.

                                                                    Get Started Now










                                                                                          • Related Articles

                                                                                          • HIPAA Compliance with Zoho CRM

                                                                                            The Health Insurance Portability and Accountability Act (including the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act) ("HIPAA"), requires Covered Entities and Business ...
                                                                                          • FAQs: Deals

                                                                                            Why am I not able to enter the Expected Revenue for deals? The Expected Revenue is automatically calculated based on the Stage and Amount details that you specify for leads, accounts, deals, or any other module. Hence, you cannot enter that value in ...
                                                                                          • FAQs: Email Configuration

                                                                                            Can I configure multiple email boxes in Zoho CRM? No. You can select ONLY one mailbox at a time from which you want to fetch mails in CRM. Can I configure my Gmail, Yahoo, Hotmail and other web mail services in CRM? Yes. You can configure Gmail, ...
                                                                                          • FAQs on Assignment Rules

                                                                                            What is an assignment rule and why do I need it? The growth of your business is proportional to how well your sales team is handling the leads inflow and how effective they are in handling the customers and associated deals. Assigning the leads and ...
                                                                                          • FAQs: Approval Process

                                                                                            What is an approval process? Approval processes allow organizations to streamline the approval of various business activities across Zoho CRM. For example, an organization may need a senior member to approve sales orders, budgets, capital expenses, ...
                                                                                          Wherever you are is as good as
                                                                                          your workplace

                                                                                            Resources

                                                                                            Videos

                                                                                            Watch comprehensive videos on features and other important topics that will help you master Zoho CRM.



                                                                                            eBooks

                                                                                            Download free eBooks and access a range of topics to get deeper insight on successfully using Zoho CRM.



                                                                                            Webinars

                                                                                            Sign up for our webinars and learn the Zoho CRM basics, from customization to sales force automation and more.



                                                                                            CRM Tips

                                                                                            Make the most of Zoho CRM with these useful tips.



                                                                                              Zoho Show Resources