HIPAA Compliance with Zoho Developer - Vertical Solutions Platform
ZohoDeveloper - Vertical Solutions Platform is currently available in developer.zoho.com and developer.zoho.eu and is expected to release in developer.zoho.in and in developer.zoho.com.au.
The Health Insurance Portability and Accountability Act (including the Privacy Rule, Security Rule, Breach Notification Rule, and Health Information Technology for Economic and Clinical Health Act) ("HIPAA"), requires Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals. Zoho does not collect, use, store or maintain health information protected by HIPAA for its purposes. However, The Industry-specific solution, built using the Vertical Solutions Platform provides features to help its subscribers use the solution within the premises of HIPAA compliance.
HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com.
HIPAA compliance in Zoho Vertical Solutions Platform
As more healthcare organizations have started to use Software Solutions to run their business smoothly and store customer information in a shared database, it is crucial that they can ensure the confidentiality of an individual's health information.
In the solution built using the Vertical Solutions Platform, we provide ways for healthcare organizations to secure and restrict export of individuals' health information to stay compliant with HIPAA.
The subscriber org admin can achieve this by performing the following steps:
1. Selecting the "health" module: All modules that contain protected health information(PHI) must be selected. Both standard and custom modules can be selected. A total of 10 modules can be selected.
2. Marking fields that contain PHI: In a module, there may be only a few fields that contain the PHI of a customer. For example, surgical history, symptoms, medication details, etc. Marking these fields as personal health details will help the system identify and restrict access to these fields through API and prevent the export of these field values. A total of 25 fields in each module can be marked as personal health data containing fields.
Note: Lookup, multi-select lookup, and auto-number fields cannot be marked as personal health data.
3. Setting restrictions for the data marked as PHI: There are four options for restricting PHI from being accessed outside the Solution. Any of these options can be enabled depending on the org's requirements:
a. Restrict data access through API: Other applications can connect with the solution using API and data can be transferred. You can ensure that PHI of your customers is not shared in the process, by restricting the transfer of PHI to other applications via API.
b. Restrict data export: While exporting data from the solution you may want to withhold PHI from being exported by checking this option.
c. Restrict data transfer to Natively Integrated apps: If the solution itself or a subscriber org is integrated with any of the pre-built natively integrated apps that come along with the Zoho Developer platform, the data will flow from the subscriber org account to these applications. This option will prevent PHI from being transferred to other apps. To check the list of the pre-built apps and data flow restrictions refer to the table.
d. Restrict data transfer to third-party apps: If the solution itself or a subscriber org is integrated with third party applications for business related reasons, there will be chances of data flow from the subscriber org account to these apps. This option will prevent PHI from being transferred to other apps. To check the data flow restrictions refer to the table.
4. Encrypting PHI fields: Fields that contain PHI can be encrypted for additional security. Though field encryption is not a mandatory step in the vertical solution or a subscriber org, we strongly recommend you enable encryption as it is the best practice to prevent unauthorized access to confidential data.
Read more to configure encryption and understand its limitations. Also, refer to the Zoho Encryption whitepaper to understand the encryption process and key management in detail.
A Solution's subscribers can configure HIPAA compliance by following the steps given below:
1. Go to Setup > Users and Controls > Compliance Settings.
2. Click the HIPAA Compliance tab.
3. Toggle the Enable HIPAA Compliance Settings button.
4. Select the modules from the dropdown list.
5. You can select up to 10 modules.
6. In Personal Health Data Handling, toggle Restrict Data access through API and/or Restrict Data in Export, as required.
To mark fields that contain PHI
1. Go to Setup > Customization > Modules and Fields.
2. Select a module and click the More icon to select the desired layout.
3. Alternately, you can click the More icon and select Edit Layout.
4. Go to the desired field and click the More icon.
5. Click Edit Properties and check the Contains Personal Health Databox.
6. Remember that this option will only appear if the module has been selected for HIPAA compliance.
Retrieving the audit log
We allow org admins to export data as and when required using the Export Audit Log option. In a solution, audit log is available for 60 days by default. In case the data beyond 60 days is required, the subscribers can reach out to their solution providers and the solution providers can contact support@zohodeveloper.com.
Disabling HIPAA compliance
Once HIPAA compliance is disabled, the fields that have been marked as personal health data will be unmarked. The subscriber org admin can mark the fields again when they re-enable the HIPAA compliance.
Viewing PHI of the records
All the fields that are marked as containing personal health data will be listed on the record detail page. Under Data Privacy, in the Personal Data section, you can click the Health tab to view the fields that have PHI.
Kindly note that,
1. The HIPAA compliance related features described herein covers only the entities that are present by default in the Zoho Developer -Vertical Solutions Platform. You should make sure that any additional developments or Integrations added upon it meets your HIPAA compliance requirements.
2. The content presented here is not to be construed as legal advice. Please contact your legal advisor to learn how HIPAA impacts your organization and what you need to do to comply with the HIPAA
.
Zoho CRM Training Programs
Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.
Zoho DataPrep Personalized Demo
If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.
- Zoho Workerly Home
- Forums
- Connect With Us:
- Zoho Recruit Home
- Forums
- Connect With Us:
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
You are currently viewing the help pages of Qntrl’s earlier version. Click here to view our latest version—Qntrl 3.0's help articles.
New to Zoho Survey?
Zoho Sheet Resources
Zoho Forms Resources
New to Zoho Sign?
Zoho Sign Resources
Sign, Paperless!
New to Zoho TeamInbox?
Zoho TeamInbox Resources
New to Zoho ZeptoMail?
Zoho DataPrep Resources
Design. Discuss. Deliver.
New to Zoho Workerly?
New to Zoho Recruit?
New to Zoho CRM?
New to Zoho Projects?
New to Zoho Sprints?
New to Zoho Assist?
New to Bigin?
Related Articles
Calls in Vertical Solutions
Making and receiving calls are an essential part of a rep's daily activities. They need to track the calls that are made to the customers, schedule calls according to the customer's availability, take down the details of the calls, and make note of ...Marking Personal Fields
GDPR defines personal data as any information relating to an identified or identifiable natural person (i.e. the data subject). There is a wide range of personal data that includes email addresses, location, mobile numbers, identification numbers, ...Connections
Connections enable you to connect to any of your native Vertical solution or third-party or other Zoho services using OAuth 2.0 authorization. It abstracts the entire OAuth2.0 authorization flow and keeps your code simple, clean, and crisp. Once the ...Getting Started
This guide will help you to get started with Zoho Developer, right from signing up as a developer to creating and publishing your first Vertical Solution. Signing up for Zoho Developer To sign up for a free developer account, click on the Start ...Testing your Application
Testing your solution before publishing it is crucial as it will help you detect any issues and rectify it at the earliest. Vertical Solutions allows you to test your solution in a sandbox environment. This will help you to verify if all the ...
New to Zoho LandingPage?
Zoho LandingPage Resources