Understanding HIPAA compliance

Understanding HIPAA compliance

The Health Insurance Portability and Accountability Act, HIPAA (including the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act), requires Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals. Zoho does not collect, use, store or maintain health information protected by HIPAA for its own purposes. However, Zoho Campaigns provides features to help its customers secure health related data within the premises of HIPAA compliance.
 
HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com.

How to apply HIPAA compliance in Zoho Campaigns?

Admins in Zoho Campaigns can secure and restrict export of individuals' health information and stay compliant with the HIPAA guidelines by doing the following:
 
Marking fields that contain PHI: Marking fields containing personal health details will help the system identify and restrict access to these fields through API and prevent the export of these field values. For example, fields that contain surgical history, symptoms, medication details, etc
Note: Only Custom fields can be marked as fields with PHI ( Protected Health Information. Standard fields cannot be marked
Setting restrictions for the data marked as PHI: There are two options for restricting personal data from being accessed outside Campaigns. Any of these options can be enabled depending on the org's requirements:
  1. Restrict data access through API: Other applications can connect with Zoho Campaigns using API and data can be transferred. You can ensure that personal health data of your customers is not shared in the process, by restricting transfer of personal health data to other applications via API.
  2. Restrict data export: While exporting data from the Zoho Campaigns account you may want to withhold personal health information from being exported by checking this option. 
  3. Encrypting PHI fields: Fields that contain personal health information can be encrypted for additional security. Though field encryption is not a mandatory step in Zoho Campaigns, we strongly recommend you enable encryption as it is the best practice to prevent unauthorized access to confidential data. 
Note: The custom fields are not encrypted by default. You are required to encrypt it manually.

How to configure HIPAA compliance?

  1. From the Navigation toolbar select Settings. Under General, select Compliance settings and click HIPAA Compliance.
  2. Toggle the HIPAA compliance settings Switch on. Once you toggle this on, switches that enable restriction of personal health data appear.
  3. Toggle Restrict data export switch or Restrict data export through APIs switch on. This restricts users from sharing data.


How to mark a field as Containing personal data?

  1. From the Navigation toolbar select Settings. Under Customizationselect Custom Fields.
  2. Click Create Custom Field in the Accounts page.
  3. Check Contains Personal health data check box, after filling out the custom field details. You can also edit an existing field and mark or unmark it as containing personal data

How to encrypt a field containing health data?

  1. From the Navigation toolbar select Settings. Under Customization, select Custom Fields.
  2. Click Create Custom Field in the Accounts page.
  3. Check the Encrypt field data box on, after filling out the custom field details. You can also edit an existing field and encrypt or decrypt its data.

How to disable HIPAA compliance?

  1. From the Navigation toolbar select Settings. Under General, select Compliance settings and click HIPAA Compliance.
  2. Toggle the HIPAA compliance settings Switch OFF. Once you toggle this off, a confirmation dialog box appears.
  3. Click Yes, Disable HIPAA Compliance.
  4. Once you disable HIPAA compliance, the restriction to export and other activities related to it gets revoked.

Retrieving the audit log

As a covered entity it is your responsibility and best practice to export logs periodically and preserve them for the required period. To facilitate this we allow you to export data as and when required using the Export Audit Log option. In Zoho Campaigns audit log is available for 6 months by default. In case you require data beyond 6 months you can reach out to support@zohocampaigns.com

    • Related Articles

    • What happens to my data if my account gets deactivated?

      Zoho Campaigns deactivate accounts that have been inactive for a long time for security reasons. We will be sending warning/notification emails about the deactivation before deactivating the account, you can export your data before the mentioned time ...

    • Data Migration

      Data migration is a process of transferring data between applications, data storage systems or data centers. In Zoho Campaigns, data migration lets our destination users to migrate their data from their source account to destination account.  Using ...

    • How does Zoho Campaigns ensure GDPR compliance for its mobile app?

      To comply with GDPR, only the campaigns and the mailing list details will be fetched from the server and saved in the local database. This information can be accessed even while working offline and will be cleared once the user signs out from the ...

    • Get Consent

      This feature will not be available for accounts created after September 22, 2021. You can enable GDPR settings in Settings->Compliance settings. These changes happened owing to the recent Topics update.   We aim to protect individuals from spam that ...

    • Will data of my Zoho Campaigns' account be retained on the device when I sign out of the app?

      Data and records (details of campaigns and mailing lists) fetched from server will be removed from the device when the user signs out or resets the app.