HIPAA Compliance | Zoho Forms - User Guide

HIPAA Compliance

Table of Contents
  1. HIPAA Compliance in Zoho Forms
  2. Marking fields as ePHI
  3. Restrictions on data marked as ePHI
  4. Monitoring audit logs
  5. Exporting audit logs
The Health Insurance Portability and Accountability Act (including the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act) ("HIPAA"), requires Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals. Zoho Forms does not collect, use, store, or maintain health information protected by HIPAA for its own purposes. However, Zoho Forms provides certain features (as described below) to help customers use forms in a HIPAA compliant manner.

 

HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com.

HIPAA Compliance in Zoho Forms

In Zoho Forms, we provide the healthcare organizations with ways to ensure the confidentiality of Electronic Protected Health Information (ePHI) submitted by the respondents. Zoho Forms provides with the following features to help you build forms in a HIPAA compliant manner:

  • Marking fields as ePHI to distinguish the data
  • Restrictions on the data marked as ePHI
  • Monitoring audit logs of activities performed on records

To configure HIPAA compliance related settings in Zoho Forms at the organization level,

  1. Click Control Panel in the left pane as shown.
  2. Click HIPAA - Organization Control under Data Administration.

    HIPAA - Organization Control
  3. Click Activate HIPAA.
    Activate HIPAA

Notes
Note: Only the Super Admin of your Zoho Forms Org can configure HIPAA compliance related settings at the organization level.

Once HIPAA settings is activated at the org level, you can configure HIPAA Compliance settings for individual forms.

To enable HIPAA Compliance related features for a form,
  1. In your form builder, navigate to Settings > Compliance & Audit > HIPAA.
  2. Enable HIPAA-compliant security protection in the form by selecting Yes. This will allow you to mark form fields as ePHI.

    HIPAA Compliance
  3. If you wish to allow the transfer of data for the fields marked as ePHI to external sources, select Allow ePHI data to be transmitted to external apps/sources. You will still be warned before transferring the data to any external sources.

Marking fields as ePHI

Form fields that are used to collect confidential health information of respondents, such as medication details, diagnosis reports, surgical history of patients, etc., can be marked as ePHI (Electronic protected health information) for adding an additional layer of security. Data of the fields marked as ePHI will be encrypted by default. This will help the system identify and restrict access to the data collected through these fields and prevent the export of such data.

To mark a field as ePHI,
  1. In your form builder, go to the Properties of a field.
  2. Under Privacy, select Mark as ePHI (HIPAA).

    Marking fields as ePHI

Fields that can be marked as ePHI

Single Line, Multi Line, Number, Name, Address, Phone, Email, Date, Date-Time, Website, File Upload, Image Upload, Signature, and Unique ID

Only the following comparison operators are compatible with the fields marked as ePHI for search filters applied to All Entries and Reports:

  • is
  • is not
  • is empty
  • is not empty
Notes
Note:
  1. A maximum of 25 fields can either be encrypted or marked as ePHI.
  2. Fields once marked as ePHI will be encrypted even if the Mark as ePHI (HIPAA) option is disabled.

Restrictions on data marked as ePHI

If you choose to allow data transfer for ePHI fields, you'll receive a warning while transferring. If you choose not to allow data transfer for ePHI fields, the data transfer will be restricted.

For all the form fields that have been marked as ePHI, you will be restricted/warned while:

  • Configuring Email Notifications, SMS Notifications, Push Notifications using the fields
  • Configuring Double Opt-In settings using the fields
  • Configuring Approval emails using the fields
  • Printing or exporting Reports
  • Including PDF of form submission
  • Configuring Integrations using the fields
  • Configuring Document Merge (using WebMerge)
  • Using the Report Permalink (URL) will be restricted

Monitoring audit logs

Monitoring every user's activity is crucial to alleviate potential threats to sensitive data and prevent data misuse. Monitoring record audit data is a means to assist an organization by maintaining logs on the sequence of activities performed on form entries, as well as when, by whom, and how much of data has been modified. This is helpful in case of security violations by identifying user behavior and the chronological order of events that caused them.
Learn more about the Record Audit option.
You can export record audit logs periodically and preserve them as per HIPAA requirements.

Exporting audit logs

You can export the audit logs of the records, however, it is your responsibility to protect and retain the exported copy of the Audit logs in accordance with HIPAA requirements. The record audit logs are available only for the last 90 days, after which they will be automatically deleted. Only the Super Admin can export the record audit data.

Learn more about the  Export Record Audit Data  feature.

Notes Note: HIPAA Compliance feature is available only in our Premium and Zoho One plans.

Warning
Disclaimer: The information provided here should not be construed as legal advice. We recommend that you seek legal advice to learn how HIPAA impacts your organization and what steps you must take to comply with the requirements of HIPAA.