What kind of encryption is added to the PHI fields?

Fields that contain personal health information of individuals can be encrypted to prevent unauthorized access. Once encrypted, the fields are added with EAR.

Encryption at Rest

Refers to data that is encrypted when it is stored (not moving) — either on a disc, in a database, or some other form of media. In addition to encryption of data during transit, encryption of data when it is stored in the servers provides an even higher level of security. EAR protects against any possible data leak due to server compromise or unauthorized access.

Encryption is done at the application layer using the AES-256 algorithm, which is a symmetric encryption algorithm that uses 128-bit blocks and 256-bit keys. The key used to convert the data from plain text to cipher text is called Data Encryption Key (DEK). The DEK is further encrypted using the KEK (Key Encryption Key),

thus, providing yet another layer of security. The keys are generated and maintained by our in-house Key Management Service (KMS). Read more

Limitations and Trade-offs applied to the encrypted fields:
  The encrypted fields undergo certain limitations.

• Only full-text search is supported in global search. For instance, if the encrypted data is "Joseph Wells," the encrypted field record does not show in the results of a search for "Joseph."

• Encrypted fields cannot be used in Advanced Filters

• Encrypted fields cannot be found using Search by Criteria

• Encrypted fields are not visible in the Sort option.

• Encrypted information is only stored in the crm.zoho.com domain. Use the encrypted information in other domains or third-party services at your own discretion.

• In the Forecasts module, encrypted fields cannot be used as Target Fields.

Note that field encryption is a separate entity and not part of HIPAA Compliance. PHI fields can be encrypted even without marking them as containing PHI (mandatory for HIPAA compliance).

To help organizations be compliant with HIPAA regulations, Zoho CRM allows them to mark fields as containing personal health information. By doing so, they can restrict export of individuals' health information to third-party apps via integration or through API. Read more about HIPAA Compliance here.

• Related Articles

• What kind of restrictions can be set for the PHI fields under HIPAA Compliance?

  A total of 25 fields in each module can be marked as personal health data containing fields. Once marked, there are certain restrictions that can be set to prevent unauthorized access to the sensitive values present in the fields. Note: Lookup, ...

• Does marking a field as PHI (Personal Health Information) automatically encrypt it?

  No, marking a field as PHI only enables the system to identify that the values present in it contain personal health information of an individual. As an additional layer of security, these fields can be encrypted separately. While this isn't ...

• How do I configure HIPAA Compliance in my CRM account?

  With more healthcare organizations using CRM to run their business smoothly and store customer information in a shared database, it is crucial that they can ensure the confidentiality of an individual's health information.  In Zoho CRM, we provide ...

• How does Zoho manage personal health information fields to comply with HIPAA?

  The Health Insurance Portability and Accountability Act (HIPAA), which includes the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act), requires Covered Entities and Business ...

• How does Zoho CRM help organizations be HIPAA Complaint?

  At Zoho CRM, we allow organizations to be compliant with the HIPAA guidelines by providing the following options:   Select modules that contain personal health data: All modules that contain protected health information must be selected. Both ...