HIPAA Compliance with Zoho People
The Health Insurance Portability and Accountability Act (including the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act) (“HIPAA”), requires Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals.
Zoho People does not collect, use, store or maintain health information protected by HIPAA for its own purposes. However, Zoho People provides certain features (as described below) to help its customers use Zoho People in a HIPAA-compliant manner.
HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with their Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com.
Features in Zoho People that enable you to achieve HIPAA compliance
As many organizations use Zoho People and share employee information on the cloud, it is important that the health information and related HIPAA identifiers are protected and recorded in a confidential manner.
1. Labelling of Electronic protected health information (ePHI)
Custom fields that contain personal health details can be marked as ‘ePHI’. This applies to single-line, multi-line, and number custom fields.
Navigate to Settings > Customization > Forms and select the respective form.
2. Encryption of ePHI
Employee fields containing ePHI data in forms can be encrypted. All files are encrypted at rest.
3. Audit trail of ePHI
Using the audit history feature, any changes made to data in the ePHI-related fields can be tracked. The audit trail records the change in data of the fields for which you have enabled audit. Audit can be enabled for a field under form customization. Audit history can also be exported
4. Activity Log of ePHI
Activity logs can help track the various changes made to entities that can contain ePHI-related data. A detailed log of the date, time of the action, the name of the employee who performed the action, and other details about the action can be seen under the activity log.
5. Export History of ePHI
The overall history of all exports can be tracked and viewed
6. Controlling access to ePHI
You can define who can perform add, edit, view and delete actions for ePHI related fields and records.