The Health Insurance Portability and Accountability Act (including the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act) ("HIPAA"), requires Covered Entities and Business Associates
to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals. Zoho does not collect, use, store or maintain health information protected by HIPAA for its own purposes. However, Zoho CRM provides features to help its customers use CRM within the premises of HIPAA compliance.
HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to email@example.com
HIPAA compliance in Zoho CRM
As more healthcare organizations have started to use CRM to run their business smoothly and store customer information in a shared database, it is crucial that they can ensure the confidentiality of an individual's health information.
In Zoho CRM, we provide ways for healthcare organizations to secure and restrict export of individuals' health information and stay compliant with the HIPAA guidelines.
The CRM admins can achieve this by performing the following steps:
- Selecting the "health" module: All modules that contain protected health information must be selected. Both standard and custom modules can be selected. A total of 10 modules can be selected.
- Marking fields that contain PHI: In a module, there may be only a few fields that contain personal health details of a customer. For example, surgical history, symptoms, medication details, etc. Marking these fields as personal health details will help the system identify and restrict access to these fields through API and prevent the export of these field values. A total of 25 fields in each module can be marked as personal health data containing fields.
Note: Lookup, multi-select lookup, and autonumber fields cannot be marked as personal health data.
- Setting restrictions for the data marked as PHI: There are four options for restricting personal data from being accessed outside Zoho CRM. Any of these options can be enabled depending on the org's requirements:
- Restrict data access through API: Other applications can connect with CRM using API and data can be transferred. You can ensure that personal health data of your customers is not shared in the process, by restricting transfer of personal health data to other applications via API.
- Restrict data export: While exporting data from the CRM account you may want to withhold personal health information from being exported by checking this option.
- Restrict data transfer to Zoho apps: If the CRM account is integrated with other Zoho applications like Desk, Campaigns, Projects etc. the data will flow from CRM to these applications. This option will prevent personal health data from being transferred to other apps. To check the data flow restrictions refer to the table.
- Restrict data transfer to third party apps: If your CRM account is integrated with third party applications for business related reasons there will be chances of data flow from CRM to these apps. This option will prevent personal health data from being transferred to other apps. To check the data flow restrictions refer to the table.
- Encrypting PHI fields: Fields that contain personal health information can be encrypted for additional security. Though field encryption is not a mandatory step in Zoho CRM, we strongly recommend you enable encryption as it is the best practice to prevent unauthorized access to confidential data.
Users with the Manage Compliance Settings permission in their profile can manage HIPAA compliance for different modules.
To configure HIPAA compliance
- Go to Setup > Users and Controls > Compliance Settings.
- Click the HIPAA Compliance tab.
- Toggle the Enable HIPAA Compliance Settings button.
- Select the modules from the dropdown list.
- You can select up to 10 modules.
- In Personal Health Data Handling, toggle Restrict Data access through API and/or Restrict Data in Export, as required.
To mark fields that contain personal health data
- Go to Setup > Customization > Modules and Fields.
- Select a module and click the More icon to select the desired layout.
Alternately, you can click the More icon and select Edit Layout.
- Go to the desired field and click the More icon.
Click Edit Properties and check the Contains Personal Health Data box.
Remember that this option will only appear if the module has been selected for HIPAA compliance.
Retrieving the audit log
We allow users with permission, to export data as and when required using the Export Audit Log option. In Zoho CRM audit log is available for 60 days by default. If you want to preserve it for a long period, you can periodically export it using the Export Audit Log option. In case you require data beyond 60 days you can reach out to firstname.lastname@example.org.
Disabling HIPAA compliance
Once HIPAA compliance is disabled, the fields that have been marked as personal health data will be unmarked. The admin can mark the fields again when they re-enable the HIPAA compliance.
Viewing personal data of the records
All the fields that are marked as containing personal health data will be listed in the record detail page. Under Data Privacy, in the Personal Data section, you can click the Health tab to view the fields that have personal health data.