The Health Insurance Portability and Accountability Act (including the Privacy Rule, Security Rule, Breach Notification Rule, and Health Information Technology for Economic and Clinical Health Act) ("HIPAA"), requires Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals. Zoho does not collect, use, store, or maintain health information protected by HIPAA for its purposes. Zoho Cliq provides features described below to help its customers use Cliq in a HIPAA-compliant manner.
HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com.
Restrict access control
- Disable external contact by disabling Guest Chat, Extensions, External Channels.
- Provide users with unique login credentials to ensure that ePHI is only accessible to authorized users via MFA (Multi-Factor Authentication).
Mandate read receipt across your organization
- Mandating read receipt will help you attain read audit of messages.
View history of edited messages
- When a message is modified, the edit history is audited inside a group chat / channel. So any changes made to ePHI field can be tracked.
We consider the below list as ePHI in Cliq:
- Messages
- Attachments
- Calls
- Group Calls
- Call Recordings
- Chat Title
- User Custom Fields (Configurable)
The ePHI data inside Cliq are encrypted
Encrypting ePHI fields: Fields that contain personal health information can be encrypted for additional security. Though field encryption is not a mandatory step in Zoho Cliq, we strongly recommend you enable encryption as it is the best practice to improve the security of sensitive data.
User addition and removal is audited inside a group chat / channel
When a user is added or removed to a channel, the participants in the channel can view notifications on who is added or removed and by whom the user is added or removed.
Audit data made available in Cliq for 6 months
- The audit data will be available in Cliq for 6 months from the day the event occurs. For example, if you want to create a channel or deactivate a user account, the audit data will be available for up to 6 months since the day you created the channel or deactivated the user account.
- The org admins further have options to download and backup their data via this link.