HIPAA Compliance | Zoho Marketing Automation

HIPAA Compliance

The Health Insurance Portability and Accountability Act, HIPAA (including the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act), requires Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals. Zoho does not collect, use, store or maintain health information protected by HIPAA for its own purposes. However, Zoho Marketing Automation provides features to help its customers secure health related data within the premises of HIPAA compliance.
 
HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com.
 

How to apply HIPAA compliance in Zoho Marketing Automation?

Admins in Zoho Marketing Automation can secure and restrict export of individuals' health information and stay compliant with the HIPAA guidelines by doing the following:
 
Marking fields that contain PHI: Marking fields containing personal health details will help the system identify and restrict access to these fields through API and prevent the export of these field values. For example, fields that contain surgical history, symptoms, medication details, etc
 
Info
Only Custom fields can be marked as fields with PHI ( Protected Health Information. Standard fields cannot be marked.
 
Setting restrictions for the data marked as PHI: There are two options for restricting personal data from being accessed outside Zoho Marketing Automation. Any of these options can be enabled depending on the org's requirements:
  1. Restrict data access through API: Other applications can connect with Zoho Marketing Automation using API and data can be transferred. You can ensure that personal health data of your customers is not shared in the process, by restricting transfer of personal health data to other applications via API.
  2. Restrict data export: While exporting data from the Zoho Marketing Automation account you may want to withhold personal health information from being exported by checking this option. 
  3. Encrypting PHI fields: Fields that contain personal health information can be encrypted for additional security. Though field encryption is not a mandatory step in Zoho Marketing Automation, we strongly recommend you enable encryption as it is the best practice to prevent unauthorized access to confidential data. 
Alert
The custom fields are not encrypted by default. You are required to encrypt it manually.

How to configure HIPAA compliance?

Steps to enable HIPAA compliance

To configure HIPAA compliance:
  1. Go to Settings > Consent and Privacy > Compliance Settings.
    settings page
  2. Navigate to HIPAA Compliance.
  3. Toggle the HIPAA compliance settings Switch on. Once you toggle this on, switches that enable restriction of personal health data appear.
  4. Toggle Restrict data export switch or Restrict data export through APIs switch on. This restricts users from sharing data.
    HIPAA settings

How to mark a field as Containing personal data?

  1. Choose Settings from the top right corner of the page. settings
  2. Select Contact fields under General.   
  3. Navigate to Custom fields tab.  
  4. Click the Add Custom Field button.
    add custom field
  5. Enter the following data:
    a. Field type indicates the type of data that will be stored in the field.
    b. Field label to identify the field or to provide a name for the field.
    c. Default merge tag value that can be used as a default value if the user leaves the field blank.
  6. Check Contains Personal health data check box, after filling out the custom field details. You can also edit an existing field and mark or unmark it as containing personal data. Click Create.   
    Contains Personal health data check box
                   

How to disable HIPAA compliance?

Disable HIPAA compliance

To disable HIPAA compliance:
  1. Go to Settings > Consent and Privacy > Compliance Settings.
    settings page
  2. Navigate to HIPAA Compliance.
  3. Toggle the HIPAA compliance settings Switch OFF.
    HIPAA settings
  4. Once you toggle this off, a confirmation dialog box appears. Click Yes, Disable HIPAA Compliance.
  5. Once you disable HIPAA compliance, the restriction to export and other activities related to it gets revoked. 

Retrieving the audit log

As a covered entity, it is your responsibility and best practice to export logs periodically and preserve them for the required period. To facilitate this we allow you to export data as and when required using the Export Audit Log option. In Zoho Marketing Automation audit log is available for 6 months by default. In case you require data beyond 6 months you can reach out to us.