HIPAA Compliance

The Health Insurance Portability and Accountability Act (including the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act) ("HIPAA"), requires Covered Entities and Business Associates to take certain measures to protect any health information that can be used to identify an individual. It also provides certain rights to individuals. Zoho does not collect, use, store, or maintain health information protected by HIPAA for its own purposes. However, Zoho Recruit provides certain features (as described below) to help its customers use Zoho Recruit in a HIPAA-compliant manner.

HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com .

HIPAA compliance in Zoho Recruit

As more healthcare organizations have started to use Recruit to run their business smoothly and store customer information in a shared database, it is crucial that they can ensure the confidentiality of an individual's health information.

In Zoho Recruit, we provide ways for healthcare organizations to secure and restrict the export of individuals' health information.

Recruit admins can do this by performing the following steps:

Select the "health" module: All modules that contain protected health information ("PHI") must be selected. In all paid editions of Zoho Recruit, a total of 10 modules can be selected. This includes both default and custom modules. Please note that the HIPAA compliance feature is not available in the Free edition of Zoho Recruit.

Mark fields that contain PHI: In a module, there may be only a few fields that contain PHI. For example, surgical history, symptoms, medication details, etc. Marking these fields as PHI will help the system identify and restrict access to these fields through API and prevent the export of these field values. A total of 30 fields in each module can be marked as PHI containing fields.
Note: Lookup and autonumber fields cannot be marked as PHI.

Set restrictions for the data marked as PHI: There are four options for restricting PHI from being accessed outside Zoho Recruit. Any of these options can be enabled depending on the organization's requirements:

Restrict data access through API: Other applications can connect with Zoho Recruit using API and data can be transferred. You can ensure that PHI is not shared in the process by restricting the transfer to other applications via API.
Restrict data in export: While exporting data from your Zoho Recruit account, you can withhold PHI from being exported by checking this option.
Restrict data transfer to Zoho apps: If the Recruit account is integrated with other Zoho applications like CRM, Workerly, People etc. the data will flow from Recruit to these applications. This option will prevent PHI from being transferred to other apps.
Restrict data transfer to third party apps: If your Recruit account is integrated with third party applications for business related reasons there will be chances of data flow from Recruit to these apps. This option will prevent PHI from being transferred to other apps.

Encrypt PHI fields: Fields that contain PHI can be encrypted for additional security. Though field encryption is not a mandatory step in Zoho Recruit, we strongly recommend you enable encryption as it is the best practice to prevent unauthorized access to confidential data.

Read more about how to configure encryption and understand its limitations . Also, refer to this Zoho Encryption white paper to understand the encryption process and key management in detail.

To configure HIPAA compliance

Go to Setup > Compliance > HIPAA Compliance.
Toggle the Enable HIPAA Compliance Settings button ON.
Select the modules from the drop-down list.
You can select up to 10 modules.
In Personal Health Data Handling, toggle Restrict Data access through API, Restrict Data in Export, Restrict data transfer to Zoho apps and/or Restrict data transfer to third party apps, as required.

To mark fields that contain PHI;

Go to Setup > Customization > Modules.
Select a module and click the More icon to select the desired layout.
Alternately, you can click the More icon and select Edit Layout.
Go to the desired field and click the Settings icon.
Click Edit Properties and check the Contains Personal Health Data box.

Remember that this option will only appear if the module has been selected for HIPAA compliance.

Disabling HIPAA compliance

Once HIPAA compliance is disabled, the fields that have been marked as PHI will be unmarked. The admin can mark the fields again when they re-enable the HIPAA compliance.

Viewing personal data within the records

All the fields that are marked as containing PHI will be listed in the record detail page. Under Data Privacy , in the Personal Data section, you can click the Data Privacy tab to view the fields that have PHI.

Audit Trail of PHI

Audit trails record property changes in the fields that you have marked as PHI fields. Audit history can also be exported.

Activity Log of PHI

Activity logs can help track the various changes made to entities that can contain PHI. A detailed log on the date, time of the action, the name of the user who performed the action, and other details about the action can be seen under the activity log.

Exporting Audit and Activity Logs

Data audits help you secure your system and monitor for unexpected changes or usage trends. The audit log will be retained for 60 days and the activity log for 90 days. You can export the audit and activity logs by going to Setup > Data Administration > Audit Log/Activity Log. Click Export to download.

The following tables will give you the details of the various integrations and the implications when personal data is restricted. There are certain fields that are mandatory for an integration. For example, for the Zoho Campaigns integration, Email is a mandatory field. If you mark email as a personal field, the data will not be sent from Recruit to Campaigns. You can find more such details in the tables below.

*Please note that First and Last Name cannot be marked as personal fields.

Integrations with Zoho Apps

Integrations with Zoho Apps	Fields mandatory for the integration	What happens when personal data is restricted?
Zoho Campaigns	Email	Data will not be pushed from Zoho Recruit
Zoho Cliq	NA	Details other than those from the personal fields will be shared via Zoho Cliq.
Zoho CRM	Last Name , Potential Name, Stage, Account Name	Data will not be pushed from Zoho recruit
Zoho People	First name, Last Name, Email, Phone	Data will not be pushed from Zoho recruit
Zoho Workerly	Last name, mobile, Current title	Data will not be pushed from Zoho recruit
Zoho Reports	NA	Data will not be pushed from Zoho recruit
Zoho Survey	NA	NA
Zoho Forms	NA	NA
Zoho Workdrive	NA	NA

Integrations with Third-party Apps

Integrations with Other Apps	Fields mandatory for the integration	What happens when personal data is restricted?
Microsoft Office 365	First Name	As First Name cannot be marked as a personal field, the integration will work as usual.
Microsoft Outlook	First Name	As First Name cannot be marked as a personal field, the integration will work as usual.
Google Contacts	First Name	As First Name cannot be marked as a personal field, the integration will work as usual.

Kindly note that the content presented here is not to be construed as legal advice. Please contact your legal advisor to learn how HIPAA impacts your organization and what you need to do to comply with HIPAA.

Other Security features that Zoho Recruit offers:

Zoho Recruit | HIPAA Compliance

HIPAA Compliance