The Health Insurance Portability and Accountability Act (including the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act) ("HIPAA"), requires
Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals. Zoho does not collect, use, store or maintain health information protected by HIPAA for its own purposes.
HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates on the permissible and impermissible uses of Protected Health Information (PHI). You can request our BAA template by sending an email to
legal@zohocorp.com.
Product-specific features
As many healthcare-related organizations started using SalesIQ to provide the best support to their customers, SalesIQ is working for HIPAA compliance by putting in place certain measures to keep the customers' ePHI information secure.
Data audits help you secure your system and monitor for unexpected changes or usage trends. Zoho SalesIQ will store the audit logs, i.e., the information about every addition, update, and deletion of the ePHI possible fields of your database record.
ePHI data in SalesIQ
Before we see how the SalesIQ protects the customers' ePHI data, we shall see all the entry points for the ePHI data.
Conversations
In SalesIQ, if a customer organization processes the health data, ePHI might appear in the conversations. Hence, all the live chat data will be considered by SalesIQ as ePHI and subjected to audits.
The information of the visitors that they provide before initiating a conversation with the operators will contain information such as Name, Email, Phone number. This information on its own doesn't fall under the ePHI category, but when associated with the conversation, it can be considered as ePHI. Hence, SalesIQ treats all the default Pre-chat form data as ePHI.
JS API custom fields
Zoho SalesIQ allows customers to use JS API custom fields on their website to configure custom fields and get more data from their visitors using the pre-chat forms. Since the JS API custom field is implemented on the customer's website, SalesIQ can only display the collected data, and the customers cannot modify it. Hence, it will not be audited, and HIPAA requirements cannot be implemented on this JS API option.
We do not recommend the usage of the JS API custom fields to collect ePHI data from the visitors.
Note:
- The data collected using the JS API custom fields will be encrypted in the storage.
- The customer cannot modify the data collected using JS API custom field via SalesIQ.
Audit Exports and Retention
To comply with HIPAA, we have started auditing essential ePHI data. All audit logs are retained for a duration of up to one year. The Audit log can be shared with portal operators and visitors upon request based on the feature.
1. Conversation attachment download audit logging
Zoho SalesIQ keeps audit logs of all conversation attachment downloads performed on your database.
2. Conversation delete audit logging
Zoho SalesIQ keeps audit logs of all conversation deletions performed on your database. The audit logs will contain only limited information such as Visit ID and Conversation ID.
Zoho SalesIQ keeps audit logs of visitors' information updates provided via pre-chat forms.