HIPAA Compliance and Data Protection in Zoho CommunitySpaces
Overview
The Health Insurance Portability and Accountability Act (HIPAA) including the Privacy Rule, Security Rule, Breach Notification Rule, and the Health Information Technology for Economic and Clinical Health Act (HITECH) requires Covered Entities and Business Associates to implement specific measures to protect individually identifiable health information.
Zoho CommunitySpaces does not collect, use, store, or maintain health information protected under HIPAA for its own purposes. However, Zoho CommunitySpaces provides certain features (as described below) that help customers use the platform in a HIPAA-compliant manner.
HIPAA also requires Covered Entities to sign a Business Associate Agreement (BAA) with their Business Associates. You can request a copy of Zoho’s BAA template by sending an email to legal@zohocorp.com.
Zoho CommunitySpaces offers the following features that allow SuperHost and Community hosts to build and manage their spaces in a HIPAA-compliant way.
Labeling of ePHI
SuperHost and Community hosts can mark user profile fields that might contain any electronically protected health information (ePHI) as personal information and encrypt them for enhanced data protection. Encrypting personal information helps prevent unauthorized access to sensitive data.
Titles of the Tasks, Events, Polls, Posts, Forums, Spaces, and Articles are not considered ePHI.
Data encryption
All data in your community is securely stored on Zoho CommunitySpaces servers in an encrypted format. The platform uses strong and industry-standard encryption algorithms such as AES (Advanced Encryption Standard) to protect sensitive data, with AES-256 encryption applied to data stored on our servers.
Additionally, data stored is Encrypted At Rest (EAR), and all data transfers within the web occur over secure channels (HTTPS) to ensure maximum protection against unauthorized access, disclosure, or modification.
Audit logs to track data sources and modifications
Zoho CommunitySpaces provides comprehensive Audit Logs to record key activities across your community. This allows SuperHost and community hosts to monitor and track deletions, updates, and modifications made to user data and community content at any time.
Also, the Edit History feature in Posts provides a detailed record of changes made to posts and comments, ensuring transparency and accountability.
Data deletion and retention
Community members can delete their posts, comments, attachments, events, and other content they have created or shared. Deleted items will be moved to the Trash section of each module, which can only be accessed by SuperHost and community hosts. They can choose to delete permanently or restore content from Trash when required.
Inactive communities in Zoho CommunitySpaces are automatically deleted by our system. However, data from deleted communities is retained for 30 days, after which it is permanently removed. During this retention period, SuperHost and Community hosts can contact support@zohocommunityspaces.com to restore their community.
The options to label ePHI as personal information, access audit logs, view edit history, and restore deleted data from Trash are available only in paid plans of Zoho CommunitySpaces. [Click here to view pricing.]
Disclaimer: The information provided here should not be construed as legal advice. This article is intended to help users understand how Zoho CommunitySpaces enables them to operate in a HIPAA-compliant manner. We recommend consulting your legal advisor to understand how HIPAA applies to your community, its impact, and the necessary steps to ensure compliance.