How does Zoho manage personal health information fields to comply with HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA), which includes the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act), requires Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals.

Zoho does not collect, use, store, or maintain health information protected by HIPAA for its own purposes.

Note: HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com.

Zoho CRM provides features to help its customers use CRM within the premises of HIPAA compliance. To allow health organizations to comply with HIPAA we allow admins to mark the fields that contain personal health information of individuals so that certain restrictions can be put into place to prevent unauthorized access to those sensitive details.

For example, patient ID, surgical details, and ailments are an individual's personal health information, which should not be available to outsiders.

To mark fields that contain personal health data

1. Go to Setup > Customization > Modules and Fields.

2. Select a module and click the More icon to select the desired layout.
   Alternately, you can click the More icon and select Edit Layout.

3. Go to the desired field and click the More icon.

4. Click Edit Properties and check the Contains Personal Health Data box.
   Remember that this option will only appear if the module has been selected for HIPAA compliance. 
   

Once marked, there are certain restrictions which can be set to prevent unauthorized access to the sensitive values present in the fields.

1. Restrict data access through API: Other applications can connect with CRM using API and data can be transferred. You can ensure that personal health data of your customers is not shared in the process, by restricting transfer of personal health data to other applications via API.
   
2. Restrict data export: While exporting data from the CRM account, you may want to withhold personal health information from being exported by checking this option.
   
3. Restrict data transfer to Zoho apps: If the CRM account is integrated with other Zoho applications like Desk, Campaigns, and Projects, the data will flow from the CRM to these applications. This option will prevent personal health data from being transferred to other apps. To check the data flow restrictions, refer to the table.
   
4. Restrict data transfer to third party apps: If your CRM account is integrated with third-party applications for business-related reasons, there will be chances of data flow from CRM to these apps. This option will prevent personal health data from being transferred to other apps. To check the data flow restrictions, refer to the table
   

To set restrictions on PHI fields

1. Go to Setup > Users and Controls > Compliance Settings.

2. Click the HIPAA Compliance tab.

3. Toggle the Enable HIPAA Compliance Settings button.
   Select the modules from the dropdown list. You can select up to 10 modules.

4. ​In Personal Health Data Handling, toggle Restrict Data access through API, Restrict Data in Export, or both, as required.
   

• Related Articles

• How do I configure HIPAA Compliance in my CRM account?

  With more healthcare organizations using CRM to run their business smoothly and store customer information in a shared database, it is crucial that they can ensure the confidentiality of an individual's health information.  In Zoho CRM, we provide ...

• What kind of restrictions can be set for the PHI fields under HIPAA Compliance?

  A total of 25 fields in each module can be marked as personal health data containing fields. Once marked, there are certain restrictions that can be set to prevent unauthorized access to the sensitive values present in the fields. Note: Lookup, ...

• How does Zoho CRM help organizations be HIPAA Complaint?

  At Zoho CRM, we allow organizations to be compliant with the HIPAA guidelines by providing the following options:   Select modules that contain personal health data: All modules that contain protected health information must be selected. Both ...

• HIPAA Compliance with Zoho CRM

  The Health Insurance Portability and Accountability Act (including the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act) ("HIPAA"), requires Covered Entities and Business ...

• What kind of encryption is added to the PHI fields?

  Fields that contain personal health information of individuals can be encrypted to prevent unauthorized access. Once encrypted, the fields are added with EAR. Encryption at Rest Refers to data that is encrypted when it is stored (not moving) — either ...