What kind of restrictions can be set for the PHI fields under HIPAA Compliance?
A total of 25 fields in each module can be marked as personal health data containing fields. Once marked, there are certain restrictions that can be set to prevent unauthorized access to the sensitive values present in the fields.
Note: Lookup, multi-select lookup, and autonumber fields cannot be marked as personal health data.
The following restrictions can be set on the PHI fields:
Restrict data access through API: Other applications can connect with CRM using API, and data can be transferred. You can ensure that personal health data of your customers is not shared in the process, by restricting transfer of personal health data to other applications via API.
Restrict data export: While exporting data from the CRM account, you may want to withhold personal health information from being exported by checking this option.
Restrict data transfer to Zoho apps: If the CRM account is integrated with other Zoho applications like Desk, Campaigns, and Projects, the data will flow from CRM to these applications. This option will prevent personal health data from being transferred to other apps.
The following table will provide you with the details of the various integrations and the implications when personal data is restricted. There are certain fields that are mandatory for integration, such as Email for the Zoho Project integration. If you mark email as a personal field, the data will not be sent from CRM to Projects.
Integrations with Zoho Apps | Fields mandatory for the integration | What happens when personal health data is restricted? |
Zoho Desk | Last Name and Email | Data will not be pushed from Zoho CRM. |
Zoho Projects | Client user will not be added through project creation or association. | |
Zoho Finance Suite | Last Name and Email | Data will not be pushed from Zoho CRM. |
Zoho Campaigns | Data will not be pushed from Zoho CRM. | |
Zoho Recruit | Data will not be pushed from Zoho CRM. | |
Zoho Cliq | NA | Details other than those from the personal fields will be shared via Zoho Cliq. |
Zoho Analytics | NA | If one of the previously synced field is restricted, then reports based on those fields will be deleted. |
Zoho Writer | NA | NA |
Zoho Motivator | NA | NA |
Zoho Creator | NA | NA |
Zoho Mail | NA | NA |
Zoho Calendar | NA | NA |
Zoho Social | NA | NA |
Zoho Sales IQ | NA | NA |
Zoho Survey | NA | NA |
Restrict data transfer to third party apps: If your CRM account is integrated with third-party applications for business related reasons, there will be chances of data flow from CRM to these apps. This option will prevent personal health data from being transferred to other apps.
Integrations with Third-party Apps
Integrations with Other Apps | Fields mandatory for the integration | What happens when personal health data is restricted? |
Microsoft Office 365 | First Name | As First Name cannot be marked as a personal field, the integration will work as usual. |
Microsoft Outlook | First Name | As First Name cannot be marked as a personal field, the integration will work as usual. |
Google Contacts | First Name | As First Name cannot be marked as a personal field, the integration will work as usual. |
Slack | NA | Details other than those from the personal fields will be shared via Slack. |
Android or iOS Speech Recognizer (Zia Voice) | NA | Only call to Zia action will be disabled; the chat with Zia option will work as usual. |
To set restrictions on PHI fields
Go to Setup > Users and Controls > Compliance Settings.
Click the HIPAA Compliance tab.
Toggle the Enable HIPAA Compliance Settings button.
Select the modules from the dropdown list.
You can select up to 10 modules.
In Personal Health Data Handling, toggle Restrict Data access through API, Restrict Data in Export, or both, as required.
Related Articles
How does Zoho manage personal health information fields to comply with HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA), which includes the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act), requires Covered Entities and Business ...How does Zoho CRM help organizations be HIPAA Complaint?
At Zoho CRM, we allow organizations to be compliant with the HIPAA guidelines by providing the following options: Select modules that contain personal health data: All modules that contain protected health information must be selected. Both ...What kind of encryption is added to the PHI fields?
Fields that contain personal health information of individuals can be encrypted to prevent unauthorized access. Once encrypted, the fields are added with EAR. Encryption at Rest Refers to data that is encrypted when it is stored (not moving) — either ...How do I configure HIPAA Compliance in my CRM account?
With more healthcare organizations using CRM to run their business smoothly and store customer information in a shared database, it is crucial that they can ensure the confidentiality of an individual's health information. In Zoho CRM, we provide ...Where can I see the personal health data records in CRM?
All the fields that are marked as containing personal health data will be listed in the record detail page. Under Data Privacy, in the Personal Data section, you can click the Health tab to view the fields that have personal health data. Read more ...