How does Zoho CRM help organizations be HIPAA Complaint?
At Zoho CRM, we allow organizations to be compliant with the HIPAA guidelines by providing the following options:
Select modules that contain personal health data: All modules that contain protected health information must be selected. Both standard and custom modules can be selected. A total of 10 modules can be selected.
Mark fields as containing personal health information: In a module, there may be only a few fields that contain personal health details of a customer. For example, surgical history, symptoms, medication details, etc. Marking these fields as personal health details will help the system identify and restrict access to these fields through API and prevent the export of these field values. A total of 25 fields in each module can be marked as personal health data containing fields. Note: Lookup, multi-select lookup, and autonumber fields cannot be marked as personal health data.
Set restrictions for the data marked as PHI: There are four options for restricting personal data from being accessed outside Zoho CRM. Any of these options can be enabled depending on the org's requirements:
Restrict data access through API: Other applications can connect with CRM using API and data can be transferred. You can ensure that personal health data of your customers is not shared in the process, by restricting transfer of personal health data to other applications via API.
Restrict data export: While exporting data from the CRM account you may want to withhold personal health information from being exported by checking this option.
Restrict data transfer to Zoho apps: If the CRM account is integrated with other Zoho applications like Desk, Campaigns, Projects etc. the data will flow from CRM to these applications. This option will prevent personal health data from being transferred to other apps. To check the data flow restrictions refer to the table.
Restrict data transfer to third party apps: If your CRM account is integrated with third party applications for business related reasons there will be chances of data flow from CRM to these apps. This option will prevent personal health data from being transferred to other apps. To check the data flow restrictions, refer to the table.
Encrypt PHI fields: Fields that contain personal health information can be encrypted for additional security. Though field encryption is not a mandatory step in Zoho CRM, we strongly recommend you enable encryption as it is the best practice to prevent unauthorized access to confidential data.
Where do I find the option to mark fields as personal health information?
In a module, there may be only a few fields that contain personal health details of a customer. For example, surgical history, symptoms, medication details, etc. Marking these fields as personal health details will help the system identify and restrict access to these fields through API and prevent the export of these field values. A total of 25 fields in each module can be marked as personal health data containing fields.
Note: Lookup, multi-select lookup, and autonumber fields cannot be marked as personal health data.
To mark fields that contain personal health data
Go to Setup > Customization > Modules and Fields.
Select a module and click the More icon to select the desired layout. Alternately, you can click the More icon and select Edit Layout.
Go to the desired field and click the More icon.
Click Edit Properties and check the Contains Personal Health Data box. Remember that this option will only appear if the module has been selected for HIPAA compliance.
Where can I see the personal health data records in CRM?
All the fields that are marked as containing personal health data will be listed in the record detail page. Under Data Privacy, in the Personal Data section, you can click the Health tab to view the fields that have personal health data.
Does Zoho provide audit log as part of HIPAA compliance?
As a covered entity it is your responsibility and best practice to export logs periodically and preserve them for the required period. To facilitate this we allow you to export data as and when required using the Export Audit Log option. In Zoho CRM audit log is available for 60 days by default.
Watch this video on how to export audit log:
To export audit log entries
Log in to Zoho CRM with Administrator privilege.
Go to Setup > Security Control > Audit Log.
In the Audit Log page, click Export Audit Log. The entries will be exported in a .csv format.
In case you require data beyond 60 days you can reach out to support@zohocrm.com.
How do I configure HIPAA Compliance in my CRM account?
With more healthcare organizations using CRM to run their business smoothly and store customer information in a shared database, it is crucial that they can ensure the confidentiality of an individual's health information. In Zoho CRM, we provide ways for healthcare organizations to secure and restrict export of individuals' health information and stay compliant with the HIPAA guidelines.
To configure HIPAA compliance
Go to Setup > Security Control > Compliance Settings.
Click the HIPAA Compliance tab.
Toggle the Enable HIPAA Compliance Settings button. Select the modules from the dropdown list. You can select up to 10 modules.
In Personal Health Data Handling, toggle Restrict Data access through API, Restrict Data in Export, or both, as required.
To mark fields that contain personal health data
Go to Setup > Customization > Modules and Fields.
Select a module and click the More icon to select the desired layout. Alternatively, you can click the More icon and select Edit Layout.
Go to the desired field and click the More icon.
Click Edit Properties and check the Contains Personal Health Data box. Remember that this option will only appear if the module has been selected for HIPAA compliance.
Where can I get the Business Associate Agreement template?
HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com.
What kind of encryption is added to the PHI fields?
Fields that contain personal health information of individuals can be encrypted to prevent unauthorized access. Once encrypted, the fields are added with EAR.
Encryption at Rest
Refers to data that is encrypted when it is stored (not moving) — either on a disc, in a database, or some other form of media. In addition to encryption of data during transit, encryption of data when it is stored in the servers provides an even higher level of security. EAR protects against any possible data leak due to server compromise or unauthorized access.
Encryption is done at the application layer using the AES-256 algorithm , which is a symmetric encryption algorithm that uses 128-bit blocks and 256-bit keys. The key used to convert the data from plain text to cipher text is called Data Encryption Key (DEK). The DEK is further encrypted using the KEK (Key Encryption Key), thus, providing yet another layer of security. The keys are generated and maintained by our in-house Key Management Service (KMS). Read more
Limitations and Trade-offs applied to the encrypted fields:
The encrypted fields undergo certain limitations.
Only full-text search is supported in global search. For instance, if the encrypted data is "Joseph Wells," the encrypted field record does not show in the results of a search for "Joseph."
Encrypted fields cannot be used in Advanced Filters
Encrypted fields cannot be found using Search by Criteria
Encrypted fields are not visible in the Sort option.
Encrypted information is only stored in the crm.zoho.com domain. Use the encrypted information in other domains or third-party services at your own discretion.
In the Forecasts module, encrypted fields cannot be used as Target Fields.
Note that field encryption is a separate entity and not part of HIPAA Compliance. PHI fields can be encrypted even without marking them as containing PHI (mandatory for HIPAA compliance).
To help organizations be compliant with HIPAA regulations, Zoho CRM allows them to mark fields as containing personal health information. By doing so , they can restrict export of individuals' health information to third-party apps via integration or through API. Read more about HIPAA Compliance here.
What kind of restrictions can be set for the PHI fields under HIPAA Compliance?
A total of 25 fields in each module can be marked as personal health data containing fields. Once marked, there are certain restrictions that can be set to prevent unauthorized access to the sensitive values present in the fields.
Note
Lookup, multi-select lookup, and autonumber fields cannot be marked as personal health data.
The following restrictions can be set on the PHI fields:
Restrict data access through API: Other applications can connect with CRM using API, and data can be transferred. You can ensure that personal health data of your customers is not shared in the process, by restricting transfer of personal health data to other applications via API.
Restrict data export: While exporting data from the CRM account, you may want to withhold personal health information from being exported by checking this option.
Restrict data transfer to Zoho apps: If the CRM account is integrated with other Zoho applications like Desk, Campaigns, and Projects, the data will flow from CRM to these applications. This option will prevent personal health data from being transferred to other apps.
The following table will provide you with the details of the various integrations and the implications when personal data is restricted. There are certain fields that are mandatory for integration, such as Email for the Zoho Project integration. If you mark email as a personal field, the data will not be sent from CRM to Projects.
Integrations with Zoho Apps
Integrations with Zoho Apps
Fields mandatory for the integration
What happens when personal health data is restricted?
Zoho Desk
Last Name and Email
Data will not be pushed from Zoho CRM.
Zoho Projects
Email
Client user will not be added through project creation or association.
Zoho Finance Suite
Last Name and Email
Data will not be pushed from Zoho CRM.
Zoho Campaigns
Email
Data will not be pushed from Zoho CRM.
Zoho Recruit
Email
Data will not be pushed from Zoho CRM.
Zoho Cliq
NA
Details other than those from the personal fields will be shared via Zoho Cliq.
Zoho Analytics
NA
If one of the previously synced field is restricted, then reports based on those fields will be deleted.
Zoho Writer
NA
NA
Zoho Motivator
NA
NA
Zoho Creator
NA
NA
Zoho Mail
NA
NA
Zoho Calendar
NA
NA
Zoho Social
NA
NA
Zoho Sales IQ
NA
NA
Zoho Survey
NA
NA
Restrict data transfer to third party apps: If your CRM account is integrated with third-party applications for business related reasons, there will be chances of data flow from CRM to these apps. This option will prevent personal health data from being transferred to other apps.
Integrations with Third-party Apps
Integrations with Other Apps
Fields mandatory for the integration
What happens when personal health data is restricted?
Microsoft Office 365
First Name
As First Name cannot be marked as a personal field, the integration will work as usual.
Microsoft Outlook
First Name
As First Name cannot be marked as a personal field, the integration will work as usual.
Google Contacts
First Name
As First Name cannot be marked as a personal field, the integration will work as usual.
Slack
NA
Details other than those from the personal fields will be shared via Slack.
Android or iOS Speech Recognizer (Zia Voice)
NA
Only call to Zia action will be disabled; the chat with Zia option will work as usual.
To set restrictions on PHI fields
Go to Setup > SecurityControl > Compliance Settings.
Click the HIPAA Compliance tab.
Toggle the Enable HIPAA Compliance Settings button.
Select the modules from the dropdown list.
You can select up to 10 modules.
In Personal Health Data Handling, toggle Restrict Data access through API, Restrict Data in Export, or both, as required.
How does Zoho manage personal health information fields to comply with HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA), which includes the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act), requires Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals.
Important
Zoho does not collect, use, store, or maintain health information protected by HIPAA for its own purposes.
Note
HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com.
Zoho CRM provides features to help its customers use CRM within the premises of HIPAA compliance. To allow health organizations to comply with HIPAA we allow admins to mark the fields that contain personal health information of individuals so that certain restrictions can be put into place to prevent unauthorized access to those sensitive details. For example, patient ID, surgical details, and ailments are an individual's personal health information, which should not be available to outsiders.
To mark fields that contain personal health data
Go to Setup > Customization > Modules and Fields.
Select a module and click the More icon to select the desired layout. Alternately, you can click the More icon and select Edit Layout.
Go to the desired field and click the More icon.
Click Edit Properties and check the Contains Personal Health Data box.
Remember that this option will only appear if the module has been selected for HIPAA compliance.
Once marked, there are certain restrictions which can be set to prevent unauthorized access to the sensitive values present in the fields.
Restrict data access through API: Other applications can connect with CRM using API and data can be transferred. You can ensure that personal health data of your customers is not shared in the process, by restricting transfer of personal health data to other applications via API.
Restrict data export: While exporting data from the CRM account, you may want to withhold personal health information from being exported by checking this option.
Restrict data transfer to Zoho apps: If the CRM account is integrated with other Zoho applications like Desk, Campaigns, and Projects, the data will flow from the CRM to these applications. This option will prevent personal health data from being transferred to other apps. To check the data flow restrictions, refer to the table.
Restrict data transfer to third party apps: If your CRM account is integrated with third-party applications for business-related reasons, there will be chances of data flow from CRM to these apps. This option will prevent personal health data from being transferred to other apps. To check the data flow restrictions, refer to the table
To set restrictions on PHI fields
Go to Setup > Security Controls > Compliance Settings.
Click the HIPAA Compliance tab.
Toggle the Enable HIPAA Compliance Settings button. Select the modules from the dropdown list. You can select up to 10 modules.
In Personal Health Data Handling, toggle Restrict Data access through API, Restrict Data in Export, or both, as required.
Does marking a field as PHI (Personal Health Information) automatically encrypt it?
No, marking a field as PHI only enables the system to identify that the values present in it contain personal health information of an individual.
As an additional layer of security, these fields can be encrypted separately. While this isn't mandatory, as a best practice, it's essential to encrypt. Find out more about field encryption.
The encrypted fields are added with Encryption at Rest (EAR) Read more about encryption inZoho's Encryption Whitepaper.
To encrypt/decrypt PHI fields
Go to Setup > Customization > Modules and Fields > [Select the module] .
In the module layout editor, go to the field you wish to encrypt, click the Settings icon and select Edit Properties.
In the Field Properties popup, select the Encrypt Field checkbox.
The Health Insurance Portability and Accountability Act (including the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act) ("HIPAA"), requires Covered Entities and Business ...
How can I link a lead to a specific campaign? Follow these steps to link a lead to a specific campaign: In the Leads tab, select the record that you want to link to the campaign. In the Lead Details page, click Edit. Select the campaign from the ...
How is Kiosk Studio different from Blueprint, Wizards, CommandCenter, and Cadences? The fundamental distinction lies in the Kiosk Studio's ability to construct tailored UI screens featuring custom inputs—fields not necessarily confined to your ...
How can I create reports and share them with other users? You can share reports in Zoho CRM in two different ways. Exporting and sharing them with users - Each report can be exported as Excel, CSV or PDF files. Creating a report's folder with the ...
CRM for Everyone is in the Restricted Early Access mode and is available only to a select set of users upon request. Request access to gain hands-on experience with this new version. Why is there a need of CRM for Everyone? Providing a smooth ...