Zoho DataPrep with HIPAA Compliance

Zoho DataPrep with HIPAA Compliance




The Health Insurance Portability and Accountability Act, HIPAA (including the Privacy Rule, Security Rule, Breach Notification Rule, and Health Information Technology for Economic and Clinical Health Act), requires Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals.

Zoho does not collect, use, store or maintain health information protected by HIPAA for its own purposes. However, Zoho DataPrep provides certain features (as described below) to help its customers use DataPrep in a HIPAA compliant manner. HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with their Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com.

Zoho DataPrep is SOC2+HIPAA Type 2 compliant. Zoho DataPrep provides the following features to help its customers use DataPrep in a HIPAA compliant manner.

Mark PII and ePHI data

Zoho DataPrep helps you mark a column that contains ePHI (Electronic protected health information ) data using the Mark PII and ePHI data transform. This also helps users apply relevant controls like access control and apply security measures such as masking and tokenization during export, to the columns marked as ePHI data. Click here to learn more.

Roles and sharing permissions

Zoho DataPrep has roles for users based on their entity permissions. In other words, the user roles in DataPrep is based on the user's access to each entity like, workspace, datasets, etc. The following are the available user roles in DataPrep:
  1. Account admin
  2. Organization admin
  3. 'Workspace admin' role for Workspace
  4. 'Data consumer' role for Workspace
  5. 'Editor' role for dataset
  6. 'Data consumer' role for dataset
DataPrep allows you to share entities and collaborate with the end users in your organization without sharing PII data and ePHI data using the Data consumer (without PII and ePHI data) role to secure your personal data.

Encryption

ePHI data encryption is advised to prevent anyone from breaching the security and accessing or tampering with the ePHI data. In Zoho DataPrep, all user data including ePHI data is encrypted at rest and in transit by default.

Audit 

Zoho DataPrep provides audit logs for the access and activity details of all data including ePHI data in your DataPrep organization using the Audit option. 

Access Audit - This option monitors all the users who access entities in your organization. Learn more

Activity Audit - This option monitors all the user activities in your organization. Learn more

Notes
Note: Only the admin can access the Audit Logs.

Audit trial retention

Zoho DataPrep allows the users to export the activity and access audit logs for the last two years. The Admin can use the export option and download the audit trial logs of the previous 2 years using the link which will be sent to the registered email ID.

Notes
Note: The audit logs can be exported from the time the access or activity audit is enabled and not from the time when the organization was created.

Access controls of ePHI data

Users can manage how to process health related private data to comply with HIPAA regulations in the Compliance Settings.



Notes
Note: The Compliance settings are accessible only to the Account admin in the organization.
Zoho DataPrep provides the below features to manage and control the access of epHI data:

Restrict ePHI data transfer to Zoho Apps : Using this option, you can exclude ePHI columns from being exported to other Zoho Apps. 

Restrict ePHI data transfer to Third-party Apps : Using this option, you can exclude ePHI data columns from being exported to Third-party Apps.

Secure ePHI columns before export : This option allows you to make the users in your organization to secure ePHI data before exporting. Learn more

Export ePHI data with password protection : This option helps you restrict users from exporting datasets containing ePHI columns without password protection. Learn more about other protection methods in DataPrep.

How to enable HIPAA compliant features?

1. Click the Enable HIPAA Compliance toggle to submit a request to sign BAA and enable HIPAA compliant features.

2. The enable request is sent to our support team via email.

3. Once our support team is done with the background verification of BAA, the HIPAA compliant features will be enabled for your organization. 

Notes
Note: You can also disable HIPAA features using the Enable HIPAA Compliance toggle. Once our support team validates your request, HIPAA features will be disabled.

Modification of Terms of Use

Zoho reserves the right to modify the Terms. Modifications to the Terms are effective upon your use of Zoho DataPrep subsequent to publication of such modification.

Alert
Disclaimer: The content presented here is not to be construed as legal advice. This is a guideline on how Zoho DataPrep provides control to the organizations to be HIPAA compliant. Please contact your legal advisor to know how HIPAA is applicable and how it impacts your organization and the processes involved to be HIPAA compliant.

SEE ALSO