Zoho Sprints HIPAA Compliance Guide
The Health Insurance Portability and Accountability Act (including the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act) ("HIPAA"), requires Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals. Zoho does not collect, use, store or maintain health information protected by HIPAA for its own purposes. However, Zoho Sprints provides certain features (as described below) to help its customers use Zoho Sprints in a HIPAA compliant manner.
HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com.
HIPAA compliance in Zoho Sprints
To ensure the security of your information, you can take the following actions in your Zoho Sprints account,
- Mark ePHI fields to distinguish their data
- Encrypt data entered into ePHI designated fields
- Administer roles and permissions to secure data
- Export audit trail to monitor operational activities
Marking ePHI Fields
You can mark a field as ePHI if it contains the health information of your customers or patients. To mark fields that contain personal health data,
- Navigate to Setup and click a module under Custom Layouts and Fields.
- Select the desired layout to edit it.
- Go to the respective custom field and click Edit
.
- Click Update and save the layout.
Marking the field as ePHI will automatically turn on the Encrypt field option. Nevertheless, you can turn it OFF manually (not recommended).
The following are the PII/ePHI supported fields in Zoho Sprints
| Field Name | PII/ePHI | Encrypt |
| Single-Line Text | Yes | Yes |
| Text Area | No | No |
| HTML | No | No |
| Check Box | No | No |
| Radio Button | No | No |
| Integer | Yes | Yes |
| Pick List | No | No |
| Multi-Select | No | Yes |
| Decimal | Yes | Yes |
| Date | No | No |
| Date and Time | No | No |
| URL | No | No |
| Email | Yes | Yes |
| User Pick List | No | No |
| Boolean | No | No |
| Percentage | Yes | Yes |
| Currency | Yes | Yes |
| Lookup | No | No |
| Formula | Yes | Yes |
Encrypting ePHI Field Data
ePHI stands for Electronic Protected Health Information. Fields that contain ePHI can be encrypted for additional security. Though field encryption is not a mandatory step in Zoho Sprints, we strongly recommend you enable encryption so that your data will be stored in our DB with encryption. In case you’d like to know more about the certifications, click here.
Administering Roles and Permissions
Profiles on Zoho Sprints lets you define permissions. You can tightly control who in your organization has access to what information.
Exporting Audit Trial
Zoho Sprints stores the audit logs—that is, information about addition, update, and deletion made to your database records—in the back end. We have provided an option to export this data, which can be done using the Export Data option under Audit Log.