How does Zoho CRM help organizations be HIPAA Complaint?

1. Select modules that contain personal health data: All modules that contain protected health information must be selected. Both standard and custom modules can be selected. A total of 10 modules can be selected.
2. Mark fields as containing personal health information: In a module, there may be only a few fields that contain personal health details of a customer. For example, surgical history, symptoms, medication details, etc. Marking these fields as personal health details will help the system identify and restrict access to these fields through API and prevent the export of these field values. A total of 25 fields in each module can be marked as personal health data containing fields.
   Note: Lookup, multi-select lookup, and autonumber fields cannot be marked as personal health data.
3. Set restrictions for the data marked as PHI: There are four options for restricting personal data from being accessed outside Zoho CRM. Any of these options can be enabled depending on the org's requirements:
1. Restrict data access through API: Other applications can connect with CRM using API and data can be transferred. You can ensure that personal health data of your customers is not shared in the process, by restricting transfer of personal health data to other applications via API.
2. Restrict data export: While exporting data from the CRM account you may want to withhold personal health information from being exported by checking this option.
3. Restrict data transfer to Zoho apps: If the CRM account is integrated with other Zoho applications like Desk, Campaigns, Projects etc. the data will flow from CRM to these applications. This option will prevent personal health data from being transferred to other apps. To check the data flow restrictions refer to the table.
4. Restrict data transfer to third party apps: If your CRM account is integrated with third party applications for business related reasons there will be chances of data flow from CRM to these apps. This option will prevent personal health data from being transferred to other apps. To check the data flow restrictions, refer to the table.
4. Encrypt PHI fields: Fields that contain personal health information can be encrypted for additional security. Though field encryption is not a mandatory step in Zoho CRM, we strongly recommend you enable encryption as it is the best practice to prevent unauthorized access to confidential data.

Read more to configure encryption and understand its limitations. Also, refer to the Zoho Encryption whitepaper to understand the encryption process and key management in detail.

---

Where do I find the option to mark fields as personal health information?

In a module, there may be only a few fields that contain personal health details of a customer. For example, surgical history, symptoms, medication details, etc. Marking these fields as personal health details will help the system identify and restrict access to these fields through API and prevent the export of these field values. A total of 25 fields in each module can be marked as personal health data containing fields.

Note: Lookup, multi-select lookup, and autonumber fields cannot be marked as personal health data.

To mark fields that contain personal health data

1. Go to Setup > Customization > Modules and Fields.
2. Select a module and click the More icon to select the desired layout.
   Alternately, you can click the More icon and select Edit Layout.
3. Go to the desired field and click the More icon.
4. Click Edit Properties and check the Contains Personal Health Data box.
   Remember that this option will only appear if the module has been selected for HIPAA compliance.

---

Where can I see the personal health data records in CRM?

All the fields that are marked as containing personal health data will be listed in the record detail page. Under Data Privacy, in the Personal Data section, you can click the Health tab to view the fields that have personal health data.

---

Does Zoho provide audit log as part of HIPAA compliance?

As a covered entity it is your responsibility and best practice to export logs periodically and preserve them for the required period. To facilitate this we allow you to export data as and when required using the  Export Audit Log option. In Zoho CRM audit log is available for 60 days by default.

To export audit log entries

1. Log in to Zoho CRM with Administrator privilege.
   
2. Go to Setup > Security Control > Audit Log.
   
3. In the Audit Log page, click Export Audit Log.
   The entries will be exported in a .csv format.

In case you require data beyond 60 days you can reach out to support@zohocrm.com. 

---

How do I configure HIPAA Compliance in my CRM account?

With more healthcare organizations using CRM to run their business smoothly and store customer information in a shared database, it is crucial that they can ensure the confidentiality of an individual's health information. In Zoho CRM, we provide ways for healthcare organizations to secure and restrict export of individuals' health information and stay compliant with the HIPAA guidelines. 

1. Go to Setup > Security Control > Compliance Settings.
   
2. Click the HIPAA Compliance tab.
   
3. Toggle the Enable HIPAA Compliance Settings button.
   Select the modules from the dropdown list. You can select up to 10 modules.
4. In Personal Health Data Handling, toggle Restrict Data access through API, Restrict Data in Export, or both, as required.
   
   

1. Go to Setup > Customization > Modules and Fields.
   
2. Select a module and click the More icon to select the desired layout.
   Alternatively, you can click the More icon and select Edit Layout.
3. Go to the desired field and click the More icon.
   
4. Click Edit Properties and check the Contains Personal Health Data box.
   Remember that this option will only appear if the module has been selected for HIPAA compliance.
   
   

1. The encrypted fields undergo certain limitations.
   
2. Only full-text search is supported in global search. For instance, if the encrypted data is "Joseph Wells," the encrypted field record does not show in the results of a search for "Joseph."
   
3. Encrypted fields cannot be used in Advanced Filters
   
4. Encrypted fields cannot be found using Search by Criteria
   
5. Encrypted fields are not visible in the Sort option.
   
6. Encrypted information is only stored in the crm.zoho.com domain. Use the encrypted information in other domains or third-party services at your own discretion.
   
7. In the Forecasts module, encrypted fields cannot be used as Target Fields.

Note that field encryption is a separate entity and not part of HIPAA Compliance. PHI fields can be encrypted even without marking them as containing PHI (mandatory for HIPAA compliance).

What kind of restrictions can be set for the PHI fields under HIPAA Compliance?

A total of 25 fields in each module can be marked as personal health data containing fields. Once marked, there are certain restrictions that can be set to prevent unauthorized access to the sensitive values present in the fields.

Note

Lookup, multi-select lookup, and autonumber fields cannot be marked as personal health data.

The following restrictions can be set on the PHI fields:

• Restrict data access through API: Other applications can connect with CRM using API, and data can be transferred. You can ensure that personal health data of your customers is not shared in the process, by restricting transfer of personal health data to other applications via API.
• Restrict data export: While exporting data from the CRM account, you may want to withhold personal health information from being exported by checking this option.
  
• Restrict data transfer to Zoho apps: If the CRM account is integrated with other Zoho applications like Desk, Campaigns, and Projects, the data will flow from CRM to these applications. This option will prevent personal health data from being transferred to other apps. 
  

The following table will provide you with the details of the various integrations and the implications when personal data is restricted. There are certain fields that are mandatory for integration, such as Email for the Zoho Project integration. If you mark email as a personal field, the data will not be sent from CRM to Projects. 

Integrations with Zoho Apps

Integrations with Zoho Apps	Fields mandatory for the integration	What happens when personal health data is restricted?
Zoho Desk	Last Name and Email	Data will not be pushed from Zoho CRM.
Zoho Projects	Email	Client user will not be added through project creation or association.
Zoho Finance Suite	Last Name and Email	Data will not be pushed from Zoho CRM.
Zoho Campaigns	Email	Data will not be pushed from Zoho CRM.
Zoho Recruit	Email	Data will not be pushed from Zoho CRM.
Zoho Cliq	NA	Details other than those from the personal fields will be shared via Zoho Cliq.
Zoho Analytics	NA	If one of the previously synced field is restricted, then reports based on those fields will be deleted.
Zoho Writer	NA	NA
Zoho Motivator	NA	NA
Zoho Creator	NA	NA
Zoho Mail	NA	NA
Zoho Calendar	NA	NA
Zoho Social	NA	NA
Zoho Sales IQ	NA	NA
Zoho Survey	NA	NA

• Restrict data transfer to third party apps: If your CRM account is integrated with third-party applications for business related reasons, there will be chances of data flow from CRM to these apps. This option will prevent personal health data from being transferred to other apps.
  

Integrations with Third-party Apps

Integrations with Other Apps	Fields mandatory for the integration	What happens when personal health data is restricted?
Microsoft Office 365	First Name	As First Name cannot be marked as a personal field, the integration will work as usual.
Microsoft Outlook	First Name	As First Name cannot be marked as a personal field, the integration will work as usual.
Google Contacts	First Name	As First Name cannot be marked as a personal field, the integration will work as usual.
Slack	NA	Details other than those from the personal fields will be shared via Slack.
Android or iOS Speech Recognizer (Zia Voice)	NA	Only call to Zia action will be disabled; the chat with Zia option will work as usual.

To set restrictions on PHI fields

1. Go to Setup > Security Control > Compliance Settings.
2. Click the HIPAA Compliance tab.
3. Toggle the Enable HIPAA Compliance Settings button.
4. Select the modules from the dropdown list.
5. You can select up to 10 modules.
6. In Personal Health Data Handling, toggle Restrict Data access through API, Restrict Data in Export, or both, as required.
   

How does Zoho manage personal health information fields to comply with HIPAA?

Important

Zoho does not collect, use, store, or maintain health information protected by HIPAA for its own purposes.

Note

HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com.

Zoho CRM provides features to help its customers use CRM within the premises of HIPAA compliance. To allow health organizations to comply with HIPAA we allow admins to mark the fields that contain personal health information of individuals so that certain restrictions can be put into place to prevent unauthorized access to those sensitive details. For example, patient ID, surgical details, and ailments are an individual's personal health information, which should not be available to outsiders.

1. Go to Setup > Customization > Modules and Fields.
   
2. Select a module and click the More icon to select the desired layout.
   Alternately, you can click the More icon and select Edit Layout.
3. Go to the desired field and click the More icon.
   
4. Click Edit Properties and check the Contains Personal Health Data box.
   
5. Remember that this option will only appear if the module has been selected for HIPAA compliance.
    

1. Restrict data access through API: Other applications can connect with CRM using API and data can be transferred. You can ensure that personal health data of your customers is not shared in the process, by restricting transfer of personal health data to other applications via API.
   
2. Restrict data export: While exporting data from the CRM account, you may want to withhold personal health information from being exported by checking this option.
   
3. Restrict data transfer to Zoho apps: If the CRM account is integrated with other Zoho applications like Desk, Campaigns, and Projects, the data will flow from the CRM to these applications. This option will prevent personal health data from being transferred to other apps. To check the data flow restrictions, refer to the table.
   
4. Restrict data transfer to third party apps: If your CRM account is integrated with third-party applications for business-related reasons, there will be chances of data flow from CRM to these apps. This option will prevent personal health data from being transferred to other apps. To check the data flow restrictions, refer to the table
   

1. Go to Setup > Security Controls > Compliance Settings.
   
2. Click the HIPAA Compliance tab.
   
3. Toggle the Enable HIPAA Compliance Settings button.
   Select the modules from the dropdown list. You can select up to 10 modules.
4. In Personal Health Data Handling, toggle Restrict Data access through API, Restrict Data in Export, or both, as required.
   
   

Does marking a field as PHI (Personal Health Information) automatically encrypt it?

1. Go to Setup > Customization > Modules and Fields > [Select the module] .
   
2. In the module layout editor, go to the field you wish to encrypt, click the Settings icon and select Edit Properties.
   
   
3. In the Field Properties popup, select the Encrypt Field checkbox.
   
   
4. Click Done.
   
5. Save the layout.