The Health Insurance Portability and Accountability Act (including the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act) ("HIPAA"), requires
Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals.
Zoho RPA does not collect, use, store or maintain health information protected by HIPAA for its own purposes. However, Zoho RPA provides features to help its customers use Zoho RPA in a HIPAA compliant manner.
HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to
legal@zohocorp.com.
Kindly note that the content presented here is not to be construed as legal advice. Please contact your legal advisor to learn how HIPAA impacts your organization and what you need to do to comply with the HIPAA.
HIPAA compliance in Zoho RPA
The healthcare industry has rapidly evolved, increasing the need to manage Electronic Protected Health Information (ePHI) securely and protect individuals' sensitive health information.
Zoho RPA provides a range of built-in controls and security features that organizations can use to design HIPAA-compliant automation workflows. History logs i.e., input and output data from execution history may contain electronic Protected Health Information (ePHI), depending on the specific workflow use case. This data is encrypted at rest to ensure compliance and data protection. The following features highlights how Zoho RPA would allow owners and admins to stay compliant with HIPAA requirements.
Administering Roles and Permissions
Zoho RPA lets you control access to your RPA flows and data. The roles and permissions differ for the owner, admins, and members. The owner or admins can manage members of the organization. Members will not have permission to access administrator functions, such as the audit trail, and connections not created by them or shared with them.
The owner of the organization can:
- Modify the organization's name
- Add or remove members
- Change roles of members
- Create, edit, and delete flows
- Create, test, delete, and reconnect app connections
- View and export audit trail and task history
Export audit trail and task history
Audit trail is an organization-wide log of activities. Use it to track what's happening in your RPA organization. All the audit logs since the time the organization was created will be available. The option to export or download this data is only available for the owner or the admins of the organization. Audit logs will be retained until the closure of the organization.
History shows the task history of all RPA flow executions in your organization. Clicking on a particular execution lets you see all the steps of the flow and their input and output details. The option to export or download this data is only available for the owner or the admins of the organization. The execution history data is encrypted at rest.
Share or Unshare App Connections
App connections created in Zoho RPA is powered by Zoho Flow. All connections are private by default. Sharing a connection makes it available to all members of your organization. They can access, create, and update data by using the connection in flows. Unsharing a connection denies all other users' access and makes it private again. Flows using the connection will continue to access, create, and update data using the connection.
Secure data transfer to RPA Agents
Zoho RPA Agents are software installed on desktop machines that enable the successful execution of RPA workflows.These agents securely connect to the Zoho RPA server to retrieve the workflow steps and necessary data, which are temporarily stored in a local database for the duration of the execution. All data that is stored temporarily on the agent is securely encrypted both during transit and while at rest, ensuring end-to-end data protection.
Upon completion of the workflow or in the event of an execution failure, all steps and associated data are automatically deleted from the agent.
Data is encrypted