FAQs on HIPAA

FAQs: HIPAA Compliance

How does Zoho CRM help organizations be HIPAA Complaint?

At Zoho CRM, we allow organizations to be compliant with the HIPAA guidelines by providing the following options:
 
  1. Select modules that contain personal health data: All modules that contain protected health information must be selected. Both standard and custom modules can be selected. A total of 10 modules can be selected.
  2. Mark fields as containing personal health information: In a module, there may be only a few fields that contain personal health details of a customer. For example, surgical history, symptoms, medication details, etc. Marking these fields as personal health details will help the system identify and restrict access to these fields through API and prevent the export of these field values. A total of 25 fields in each module can be marked as personal health data containing fields.
    Note: Lookup, multi-select lookup, and autonumber fields cannot be marked as personal health data.
  3. Set restrictions for the data marked as PHI: There are four options for restricting personal data from being accessed outside Zoho CRM. Any of these options can be enabled depending on the org's requirements:
    1. Restrict data access through API: Other applications can connect with CRM using API and data can be transferred. You can ensure that personal health data of your customers is not shared in the process, by restricting transfer of personal health data to other applications via API.
    2. Restrict data export: While exporting data from the CRM account you may want to withhold personal health information from being exported by checking this option.
    3. Restrict data transfer to Zoho apps: If the CRM account is integrated with other Zoho applications like Desk, Campaigns, Projects etc. the data will flow from CRM to these applications. This option will prevent personal health data from being transferred to other apps. To check the data flow restrictions refer to the table.
    4. Restrict data transfer to third party apps: If your CRM account is integrated with third party applications for business related reasons there will be chances of data flow from CRM to these apps. This option will prevent personal health data from being transferred to other apps. To check the data flow restrictions, refer to the table.
  4. Encrypt PHI fields: Fields that contain personal health information can be encrypted for additional security. Though field encryption is not a mandatory step in Zoho CRM, we strongly recommend you enable encryption as it is the best practice to prevent unauthorized access to confidential data.
Read more to configure encryption and understand its limitations. Also, refer to the Zoho Encryption whitepaper to understand the encryption process and key management in detail.

Where do I find the option to mark fields as personal health information?

In a module, there may be only a few fields that contain personal health details of a customer. For example, surgical history, symptoms, medication details, etc. Marking these fields as personal health details will help the system identify and restrict access to these fields through API and prevent the export of these field values. A total of 25 fields in each module can be marked as personal health data containing fields.
Note: Lookup, multi-select lookup, and autonumber fields cannot be marked as personal health data.
To mark fields that contain personal health data
  1. Go to Setup > Customization > Modules and Fields.
  2. Select a module and click the More icon to select the desired layout.
    Alternately, you can click the More icon and select Edit Layout.
  3. Go to the desired field and click the More icon.
  4. Click Edit Properties and check the Contains Personal Health Data box.
    Remember that this option will only appear if the module has been selected for HIPAA compliance.

Where can I see the personal health data records in CRM?

All the fields that are marked as containing personal health data will be listed in the record detail page. Under Data Privacy, in the Personal Data section, you can click the Health tab to view the fields that have personal health data.



Does Zoho provide audit log as part of HIPAA compliance?

As a covered entity it is your responsibility and best practice to export logs periodically and preserve them for the required period. To facilitate this we allow you to export data as and when required using the  Export Audit Log option. In Zoho CRM audit log is available for 60 days by default.

Watch this video on how to export audit log:


To export audit log entries
  1. Log in to Zoho CRM with Administrator privilege.
  2. Go to Setup > Security Control > Audit Log.
  3. In the Audit Log page, click Export Audit Log.
    The entries will be exported in a .csv format.
In case you require data beyond 60 days you can reach out to support@zohocrm.com

How do I configure HIPAA Compliance in my CRM account?

With more healthcare organizations using CRM to run their business smoothly and store customer information in a shared database, it is crucial that they can ensure the confidentiality of an individual's health information. In Zoho CRM, we provide ways for healthcare organizations to secure and restrict export of individuals' health information and stay compliant with the HIPAA guidelines. 

To configure HIPAA compliance
  1. Go to Setup > Security Control > Compliance Settings.
  2. Click the HIPAA Compliance tab.
  3. Toggle the Enable HIPAA Compliance Settings button.
    Select the modules from the dropdown list. You can select up to 10 modules.
  4. In Personal Health Data Handling, toggle Restrict Data access through API, Restrict Data in Export, or both, as required.

To mark fields that contain personal health data
  1. Go to Setup > Customization > Modules and Fields.
  2. Select a module and click the More icon to select the desired layout.
    Alternatively, you can click the More icon and select Edit Layout.
  3. Go to the desired field and click the More icon.
  4. Click Edit Properties and check the Contains Personal Health Data box.
    Remember that this option will only appear if the module has been selected for HIPAA compliance.



Where can I get the Business Associate Agreement template?

HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com.

What kind of encryption is added to the PHI fields?

Fields that contain personal health information of individuals can be encrypted to prevent unauthorized access. Once encrypted, the fields are added with EAR.

Encryption at Rest
Refers to data that is encrypted when it is stored (not moving) — either on a disc, in a database, or some other form of media. In addition to encryption of data during transit, encryption of data when it is stored in the servers provides an even higher level of security. EAR protects against any possible data leak due to server compromise or unauthorized access.

Encryption is done at the application layer using the AES-256 algorithm , which is a symmetric encryption algorithm that uses 128-bit blocks and 256-bit keys. The key used to convert the data from plain text to cipher text is called Data Encryption Key   (DEK). The DEK is further encrypted using the KEK (Key Encryption Key), thus, providing yet another layer of security. The keys are generated and maintained by our in-house Key Management Service (KMS). Read more

Limitations and Trade-offs applied to the encrypted fields:
  1. The encrypted fields undergo certain limitations.
  2. Only full-text search is supported in global search. For instance, if the encrypted data is "Joseph Wells," the encrypted field record does not show in the results of a search for "Joseph."
  3. Encrypted fields cannot be used in Advanced Filters
  4. Encrypted fields cannot be found using Search by Criteria
  5. Encrypted fields are not visible in the Sort option.
  6. Encrypted information is only stored in the crm.zoho.com domain. Use the encrypted information in other domains or third-party services at your own discretion.
  7. In the Forecasts module, encrypted fields cannot be used as Target Fields.
Note that field encryption is a separate entity and not part of HIPAA Compliance. PHI fields can be encrypted even without marking them as containing PHI (mandatory for HIPAA compliance).
To help organizations be compliant with HIPAA regulations, Zoho CRM allows them to mark fields as containing personal health information. By doing so , they can restrict export of individuals' health information to third-party apps via integration or through API. Read more about HIPAA Compliance here.

What kind of restrictions can be set for the PHI fields under HIPAA Compliance?

A total of 25 fields in each module can be marked as personal health data containing fields. Once marked, there are certain restrictions that can be set to prevent unauthorized access to the sensitive values present in the fields.

Note
Lookup, multi-select lookup, and autonumber fields cannot be marked as personal health data.
The following restrictions can be set on the PHI fields:
  • Restrict data access through API: Other applications can connect with CRM using API, and data can be transferred. You can ensure that personal health data of your customers is not shared in the process, by restricting transfer of personal health data to other applications via API.
  • Restrict data export: While exporting data from the CRM account, you may want to withhold personal health information from being exported by checking this option.
  • Restrict data transfer to Zoho apps: If the CRM account is integrated with other Zoho applications like Desk, Campaigns, and Projects, the data will flow from CRM to these applications. This option will prevent personal health data from being transferred to other apps. 
The following table will provide you with the details of the various integrations and the implications when personal data is restricted. There are certain fields that are mandatory for integration, such as Email for the Zoho Project integration. If you mark email as a personal field, the data will not be sent from CRM to Projects. 

Integrations with Zoho Apps


Integrations with Zoho Apps
Fields mandatory for the integration
What happens when personal health data is restricted?
Zoho Desk
Last Name and Email
Data will not be pushed from Zoho CRM.
Zoho Projects
Email
Client user will not be added through project creation or association.
Zoho Finance Suite
Last Name and Email
Data will not be pushed from Zoho CRM.
Zoho Campaigns
Email
Data will not be pushed from Zoho CRM.
Zoho Recruit
Email
Data will not be pushed from Zoho CRM.
Zoho Cliq
NA
Details other than those from the personal fields will be shared via Zoho Cliq.
Zoho Analytics
NA
If one of the previously synced field is restricted, then reports based on those fields will be deleted.
Zoho Writer
NA
NA
Zoho Motivator
NA
NA
Zoho Creator
NA
NA
Zoho Mail
NA
NA
Zoho Calendar
NA
NA
Zoho Social
NA
NA
Zoho Sales IQ
NA
NA
Zoho Survey
NA
NA
  • Restrict data transfer to third party appsIf your CRM account is integrated with third-party applications for business related reasons, there will be chances of data flow from CRM to these apps. This option will prevent personal health data from being transferred to other apps.
Integrations with Third-party Apps
Integrations with Other Apps
Fields mandatory for the integration
What happens when personal health data is restricted?
Microsoft Office 365
First Name
As First Name cannot be marked as a personal field, the integration will work as usual.
Microsoft Outlook
First Name
As First Name cannot be marked as a personal field, the integration will work as usual.
Google Contacts
First Name
As First Name cannot be marked as a personal field, the integration will work as usual.
Slack
NA
Details other than those from the personal fields will be shared via Slack.
Android or iOS Speech Recognizer (Zia Voice)
NA
Only call to Zia action will be disabled; the chat with Zia option will work as usual.
To set restrictions on PHI fields
  1. Go to Setup > Security Control > Compliance Settings.
  2. Click the HIPAA Compliance tab.
  3. Toggle the Enable HIPAA Compliance Settings button.
  4. Select the modules from the dropdown list.
  5. You can select up to 10 modules.
  6. In Personal Health Data Handling, toggle Restrict Data access through APIRestrict Data in Export, or both, as required.


How does Zoho manage personal health information fields to comply with HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA), which includes the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act), requires Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals.

Important
Zoho does not collect, use, store, or maintain health information protected by HIPAA for its own purposes.

Note
HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com.

Zoho CRM provides features to help its customers use CRM within the premises of HIPAA compliance. To allow health organizations to comply with HIPAA we allow admins to mark the fields that contain personal health information of individuals so that certain restrictions can be put into place to prevent unauthorized access to those sensitive details. For example, patient ID, surgical details, and ailments are an individual's personal health information, which should not be available to outsiders.

To mark fields that contain personal health data
  1. Go to Setup > Customization > Modules and Fields.
  2. Select a module and click the More icon to select the desired layout.
    Alternately, you can click the More icon and select Edit Layout.
  3. Go to the desired field and click the More icon.
  4. Click Edit Properties and check the Contains Personal Health Data box.
  5. Remember that this option will only appear if the module has been selected for HIPAA compliance.
     
Once marked, there are certain restrictions which can be set to prevent unauthorized access to the sensitive values present in the fields.
  1. Restrict data access through API: Other applications can connect with CRM using API and data can be transferred. You can ensure that personal health data of your customers is not shared in the process, by restricting transfer of personal health data to other applications via API.
  2. Restrict data export: While exporting data from the CRM account, you may want to withhold personal health information from being exported by checking this option.
  3. Restrict data transfer to Zoho apps: If the CRM account is integrated with other Zoho applications like Desk, Campaigns, and Projects, the data will flow from the CRM to these applications. This option will prevent personal health data from being transferred to other apps. To check the data flow restrictions, refer to the table.
  4. Restrict data transfer to third party apps: If your CRM account is integrated with third-party applications for business-related reasons, there will be chances of data flow from CRM to these apps. This option will prevent personal health data from being transferred to other apps. To check the data flow restrictions, refer to the table
To set restrictions on PHI fields
  1. Go to Setup > Security Controls > Compliance Settings.
  2. Click the HIPAA Compliance tab.
  3. Toggle the Enable HIPAA Compliance Settings button.
    Select the modules from the dropdown list. You can select up to 10 modules.
  4. In Personal Health Data Handling, toggle Restrict Data access through API, Restrict Data in Export, or both, as required.


Does marking a field as PHI (Personal Health Information) automatically encrypt it?

No, marking a field as PHI only enables the system to identify that the values present in it contain personal health information of an individual.
As an additional layer of security, these fields can be encrypted separately. While this isn't mandatory, as a best practice, it's essential to encrypt. Find out more about field encryption.

The encrypted fields are added with Encryption at Rest (EAR) Read more about encryption in Zoho's Encryption Whitepaper. 

To encrypt/decrypt PHI fields
  1. Go to Setup > Customization > Modules and Fields > [Select the module] .
  2. In the module layout editor, go to the field you wish to encrypt, click the Settings icon and select Edit Properties.

  3. In the Field Properties popup, select the Encrypt Field checkbox.

  4. Click Done.
  5. Save the layout.

    Access your files securely from anywhere

      Zoho CRM Training Programs

      Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.

      Zoho CRM Training
        Redefine the way you work
        with Zoho Workplace

          Zoho DataPrep Personalized Demo

          If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.

          Zoho CRM Training

            Create, share, and deliver

            beautiful slides from anywhere.

            Get Started Now


              Zoho Sign now offers specialized one-on-one training for both administrators and developers.

              BOOK A SESSION





                          Quick Links Workflow Automation Data Collection
                          Web Forms Enterprise Begin Data Collection
                          Interactive Forms Workplace Data Collection App
                          CRM Forms Customer Service Accessible Forms
                          Digital Forms Marketing Forms for Small Business
                          HTML Forms Education Forms for Enterprise
                          Contact Forms E-commerce Forms for any business
                          Lead Generation Forms Healthcare Forms for Startups
                          Wordpress Forms Customer onboarding Order Forms for Small Business
                          No Code Forms Construction RSVP tool for holidays
                          Free Forms Travel
                          Prefill Forms Non-Profit

                          Intake Forms Legal
                          Mobile App
                          Form Designer HR
                          Mobile Forms
                          Card Forms Food Offline Forms
                          Assign Forms Photography
                          Mobile Forms Features
                          Translate Forms Real Estate Kiosk in Mobile Forms
                          Electronic Forms

                          Notification Emails for Forms Alternatives Security & Compliance
                          Holiday Forms Google Forms alternative  GDPR
                          Form to PDF Jotform alternative HIPAA Forms
                          Email Forms
                          Encrypted Forms
                          Embeddable Forms
                          Secure Forms
                          Drag and Drop form builder
                          WCAG


                                            You are currently viewing the help pages of Qntrl’s earlier version. Click here to view our latest version—Qntrl 3.0's help articles.




                                                Manage your brands on social media

                                                  Zoho Desk Resources

                                                  • Desk Community Learning Series


                                                  • Digest


                                                  • Functions


                                                  • Meetups


                                                  • Kbase


                                                  • Resources


                                                  • Glossary


                                                  • Desk Marketplace


                                                  • MVP Corner


                                                  • Word of the Day


                                                    Zoho Marketing Automation

                                                      Zoho Sheet Resources

                                                       

                                                          Zoho Forms Resources


                                                            Secure your business
                                                            communication with Zoho Mail


                                                            Mail on the move with
                                                            Zoho Mail mobile application

                                                              Stay on top of your schedule
                                                              at all times


                                                              Carry your calendar with you
                                                              Anytime, anywhere




                                                                    Zoho Sign Resources

                                                                      Sign, Paperless!

                                                                      Sign and send business documents on the go!

                                                                      Get Started Now




                                                                              Zoho TeamInbox Resources



                                                                                      Zoho DataPrep Resources



                                                                                        Zoho DataPrep Demo

                                                                                        Get a personalized demo or POC

                                                                                        REGISTER NOW


                                                                                          Design. Discuss. Deliver.

                                                                                          Create visually engaging stories with Zoho Show.

                                                                                          Get Started Now









                                                                                                              • Related Articles

                                                                                                              • HIPAA Compliance with Zoho CRM

                                                                                                                The Health Insurance Portability and Accountability Act (including the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act) ("HIPAA"), requires Covered Entities and Business ...
                                                                                                              • FAQs: Team Module

                                                                                                                CRM for Everyone is in the Restricted Early Access mode and is available only to a select set of users upon request. Request access to gain hands-on experience with this new version. Why is there a need of CRM for Everyone? Providing a smooth ...
                                                                                                              • FAQs: Team Users and Licensing

                                                                                                                CRM for Everyone is in the Restricted Early Access mode and is available only to a select set of users upon request. Request access to gain hands-on experience with this new version. What is a Team User? A team user in Zoho CRM is a specialized type ...
                                                                                                              • FAQs: Deals

                                                                                                                Why am I not able to enter the Expected Revenue for deals? The Expected Revenue is automatically calculated based on the Stage and Amount details that you specify for leads, accounts, deals, or any other module. Hence, you cannot enter that value in ...
                                                                                                              • FAQs: SalesInbox

                                                                                                                What is SalesInbox? SalesInbox in Zoho CRM is a feature specifically designed to prioritize and organize emails based on the CRM data that is most relevant to salespeople. It automatically sorts incoming emails into relevant CRM categories, such as ...
                                                                                                                Wherever you are is as good as
                                                                                                                your workplace

                                                                                                                  Resources

                                                                                                                  Videos

                                                                                                                  Watch comprehensive videos on features and other important topics that will help you master Zoho CRM.



                                                                                                                  eBooks

                                                                                                                  Download free eBooks and access a range of topics to get deeper insight on successfully using Zoho CRM.



                                                                                                                  Webinars

                                                                                                                  Sign up for our webinars and learn the Zoho CRM basics, from customization to sales force automation and more.



                                                                                                                  CRM Tips

                                                                                                                  Make the most of Zoho CRM with these useful tips.



                                                                                                                    Zoho Show Resources