The Health Insurance Portability and Accountability Act (including the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act) ("HIPAA"), requires Covered Entities and Business Associates to take certain measures to protect any health information that can be used to identify an individual. It also provides certain rights to individuals. Zoho does not collect, use, store, or maintain health information protected by HIPAA for its own purposes. However, Zoho Recruit provides certain features (as described below) to help its customers use Zoho Recruit in a HIPAA-compliant manner.

As more healthcare organizations have started to use Recruit to run their business smoothly and store customer information in a shared database, it is crucial that they can ensure the confidentiality of an individual's health information.

In Zoho Recruit, we provide ways for healthcare organizations to secure and restrict the export of individuals' health information.  

Recruit admins can do this by performing the following steps:

1. Select the "health" module: All modules that contain protected health information ("PHI") must be selected. In all paid editions of Zoho Recruit, a total of 10 modules can be selected. This includes both default and custom modules. Please note that the HIPAA compliance feature is not available in the Free edition of Zoho Recruit.

2. Mark fields that contain PHI: In a module, there may be only a few fields that contain PHI. For example, surgical history, symptoms, medication details, etc. Marking these fields as PHI will help the system identify and restrict access to these fields through API and prevent the export of these field values. A total of 30 fields in each module can be marked as PHI containing fields.
   Note: Lookup and autonumber fields cannot be marked as PHI.

3. Set restrictions for the data marked as PHI: There are four options for restricting PHI from being accessed outside Zoho Recruit. Any of these options can be enabled depending on the organization's requirements:
   

1. Restrict data access through API: Other applications can connect with Zoho Recruit using API and data can be transferred. You can ensure that PHI is not shared in the process by restricting the transfer to other applications via API.

2. Restrict data in export: While exporting data from your Zoho Recruit account, you can withhold PHI from being exported by checking this option.

3. Restrict data transfer to Zoho apps: If the Recruit account is integrated with other Zoho applications like CRM, Workerly, People etc. the data will flow from Recruit to these applications. This option will prevent PHI from being transferred to other apps.

4. Restrict data transfer to third party apps: If your Recruit account is integrated with third party applications for business related reasons there will be chances of data flow from Recruit to these apps. This option will prevent PHI from being transferred to other apps. 

4. Encrypt PHI fields: Fields that contain PHI can be encrypted for additional security. Though field encryption is not a mandatory step in Zoho Recruit, we strongly recommend you enable encryption as it is the best practice to prevent unauthorized access to confidential data.

To configure HIPAA compliance

1. Go to Setup > Compliance > HIPAA Compliance.

2. Toggle the Enable HIPAA Compliance Settings button ON.

3. Select the modules from the drop-down list.

4. You can select up to 10 modules.

5. In Personal Health Data Handling, toggle Restrict Data access through API, Restrict Data in Export, Restrict data transfer to Zoho apps and/or Restrict data transfer to third party apps, as required.
   
   

To mark fields that contain PHI;

1. Go to Setup > Customization > Modules.
   
2. Select a module and click the More icon to select the desired layout.
   Alternately, you can click the More icon and select Edit Layout.
3. Go to the desired field and click the Settings icon.
   
4. Click Edit Properties and check the Contains Personal Health Data box.
   
   Remember that this option will only appear if the module has been selected for HIPAA compliance.
   
   
   
   

Disabling HIPAA compliance  

Once HIPAA compliance is disabled, the fields that have been marked as PHI will be unmarked. The admin can mark the fields again when they re-enable the HIPAA compliance.

Viewing personal data within the records  

Audit Trail of PHI

Exporting Audit and Activity Logs

Data audits help you secure your system and monitor for unexpected changes or usage trends. The audit log will be retained for 60 days and the activity log for 90 days. You can export the audit and activity logs by going to Setup > Data Administration > Audit Log/Activity Log. Click Export to download.

The following tables will give you the details of the various integrations and the implications when personal data is restricted. There are certain fields that are mandatory for an integration. For example, for the Zoho Campaigns integration, Email is a mandatory field. If you mark email as a personal field, the data will not be sent from Recruit to Campaigns. You can find more such details in the tables below.

Integrations with Zoho Apps

 Integrations with Third-party Apps

Kindly note that the content presented here is not to be construed as legal advice. Please contact your legal advisor to learn how HIPAA impacts your organization and what you need to do to comply with HIPAA.

Other Security features that Zoho Recruit offers:

• Role-based security

• Data-based security

• ISO and SOC 2 certificates

• Data backup