HIPAA Compliance with Zoho CRM | Zoho CRM - Help

HIPAA Compliance with Zoho CRM

The Health Insurance Portability and Accountability Act (including the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act) ("HIPAA"), requires Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals. Zoho does not collect, use, store or maintain health information protected by HIPAA for its own purposes. However, Zoho CRM provides features to help its customers use CRM within the premises of HIPAA compliance. 

HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com

HIPAA compliance in Zoho CRM

As more healthcare organizations have started to use CRM to run their business smoothly and store customer information in a shared database, it is crucial that they can ensure the confidentiality of an individual's health information.

In Zoho CRM, we provide ways for healthcare organizations to secure and restrict export of individuals' health information and stay compliant with the HIPAA guidelines. 

The CRM admins can achieve this by performing the following steps:
  1. Selecting the "health" module: All modules that contain protected health information must be selected. Both standard and custom modules can be selected. A total of 10 modules can be selected.
  2. Marking fields that contain PHI: In a module, there may be only a few fields that contain personal health details of a customer. For example, surgical history, symptoms, medication details, etc. Marking these fields as personal health details will help the system identify and restrict access to these fields through API and prevent the export of these field values. A total of 25 fields in each module can be marked as personal health data containing fields.
    Note: Lookup, multi-select lookup, and autonumber fields cannot be marked as personal health data. 
  3. Setting restrictions for the data marked as PHI: There are four options for restricting personal data from being accessed outside Zoho CRM. Any of these options can be enabled depending on the org's requirements:
    1. Restrict data access through API: Other applications can connect with CRM using API and data can be transferred. You can ensure that personal health data of your customers is not shared in the process, by restricting transfer of personal health data to other applications via API.
    2. Restrict data export: While exporting data from the CRM account you may want to withhold personal health information from being exported by checking this option.
    3. Restrict data transfer to Zoho apps: If the CRM account is integrated with other Zoho applications like Desk, Campaigns, Projects etc. the data will flow from CRM to these applications. This option will prevent personal health data from being transferred to other apps. To check the data flow restrictions refer to the table.
    4. Restrict data transfer to third party apps: If your CRM account is integrated with third party applications for business related reasons there will be chances of data flow from CRM to these apps. This option will prevent personal health data from being transferred to other apps. To check the data flow restrictions refer to the table.
  4. Encrypting PHI fields: Fields that contain personal health information can be encrypted for additional security. Though field encryption is not a mandatory step in Zoho CRM, we strongly recommend you enable encryption as it is the best practice to prevent unauthorized access to confidential data.
Read more to configure encryption and understand its limitations. Also, refer to the Zoho Encryption whitepaper to understand the encryption process and key management in detail.

To configure HIPAA compliance
  1. Go to Setup > Users and Controls > Compliance Settings.
  2. Click the HIPAA Compliance tab.
  3. Toggle the Enable HIPAA Compliance Settings button.
  4. Select the modules from the dropdown list.
  5. You can select up to 10 modules.
  6. In Personal Health Data Handling, toggle Restrict Data access through API and/or Restrict Data in Export, as required.
To mark fields that contain personal health data
  1. Go to Setup > Customization > Modules and Fields.
  2. Select a module and click the More icon to select the desired layout.
    Alternately, you can click the More icon and select Edit Layout
  3. Go to the desired field and click the More icon.
  4. Click Edit Properties and check the Contains Personal Health Data box.
    Remember that this option will only appear if the module has been selected for HIPAA compliance. 

Retrieving the audit log

As a covered entity it is your responsibility and best practice to export logs periodically and preserve them for the required period. To facilitate this we allow you to export data as and when required using the Export Audit Log option. In Zoho CRM audit log is available for 60 days by default. In case you require data beyond 60 days you can reach out to support@zohocrm.com

Disabling HIPAA compliance

Once HIPAA compliance is disabled, the fields that have been marked as personal health data will be unmarked. The admin can mark the fields again when they re-enable the HIPAA compliance.

Viewing personal data of the records

All the fields that are marked as containing personal health data will be listed in the record detail page. Under Data Privacy, in the Personal Data section, you can click the Health tab to view the fields that have personal health data.
Kindly note that the content presented here is not to be construed as legal advice. Please contact your legal advisor to learn how HIPAA impacts your organization and what you need to do to comply with the HIPAA.
  1. Role based security
  2. Data security
  3. ISO and SOC 2 certificates 

    Zoho DataPrep Personalized Demo

    If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.

    Zoho CRM Training

      Create, share, and deliver

      beautiful slides from anywhere.

      Get Started Now

              Zoho CRM Training Programs

              Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.

              Zoho CRM Training

                  Zoho TeamInbox Resources

                            Zoho DataPrep Resources

                              Zoho DataPrep Demo

                              Get a personalized demo or POC

                              REGISTER NOW

                                Design. Discuss. Deliver.

                                Create visually engaging stories with Zoho Show.

                                Get Started Now

                                                      • Related Articles

                                                      • Zoho Contracts for Zoho CRM

                                                        The Zoho Contracts extension for Zoho CRM lets you work on contracts and contract templates from within Zoho CRM. It helps contract administrators, legal users, and other customers streamline the process of creating and maintaining contracts. Users ...
                                                      • HubSpot for Zoho CRM

                                                        With the HubSpot extension for Zoho CRM, you can view existing contacts from HubSpot in Zoho CRM. You can also add contacts and leads to HubSpot from Zoho CRM. This integration makes it easier to synchronize contacts (and leads) between HubSpot and ...
                                                      • GDPR and Zoho CRM - An Introduction

                                                        On this page, we'll be taking a look at what the new rules in GDPR are and how Zoho CRM can help you comply with them. We'll also help you understand how to protect your customers’ data. General Data Protection Regulation (GDPR) is a new set of rules ...
                                                      • Zoho Directory integration with CRM

                                                        Integrating CRM with Zoho Directory gives the CRM administrators a stronger hold on the organization's CRM account by enforcing password security, IP restrictions, and other policies. Read more about Zoho Directory here. Benefits of integrating CRM ...
                                                      • WeChat Pay for Zoho CRM

                                                        Installing the extension You can install the extension either from Zoho Marketplace or from the Zoho CRM. To install the extension: Navigate to Setup > Marketplace > All. Click All Extensions, then browse for and click WeChat Pay. Click Install Now. ...



                                                      Watch comprehensive videos on features and other important topics that will help you master Zoho CRM.


                                                      Download free eBooks and access a range of topics to get deeper insight on successfully using Zoho CRM.


                                                      Sign up for our webinars and learn the Zoho CRM basics, from customization to sales force automation and more.

                                                      CRM Tips

                                                      Make the most of Zoho CRM with these useful tips.

                                                        Zoho Show Resources