HIPAA Compliance

The Health Insurance Portability and Accountability Act (including the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act) ("HIPAA"), requires Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals. Zoho does not collect, use, store or maintain health information protected by HIPAA for its own purposes. However, Zoho Assist provides certain features (as described below) to help its customers use Zoho Assist in a HIPAA compliant manner. 

HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com.

The uses of remote support software—from monitoring a patient's health remotely to managing special medical devices—has greatly helped the healthcare industry cross a lot of hurdles. However, because these activities involve transferring patient data across the Internet, remote support software must ensure data in transit cannot be intercepted.

What constitutes to be ePHI (electronic Personal Health Information)

Patient Name, Patient Email ID, Support Session Agenda, Session Description and Session Recordings are considered ePHI.

How does Zoho Assist help a healthcare organization to comply with HIPAA?

Zoho Assist has a number of safeguards to help healthcare organizations fulfil their HIPAA requirements. Here are ways in which Zoho Assist will help your organization to achieve HIPAA compliance

HIPAA RequirementsFeatures that help you to fulfill HIPAA guidelines
Access Control  
  • Consent-based access to unattended computers.
  • Technicians are required to enter admin credentials to bypass the UAC.
  • Different access levels for Super Admins, Admins, and Technicians.
  • Consent required for various remote support functions like file transfer, clipboard sharing, and session recording.
Audit Controls 
  • All sessions initiated from an organization can be recorded for auditing purposes.
  • Keep track of all the activities in your organization with the Action Log Viewer.
  • Analyze each and every session initiated from your organization with Session Reports.
  • For audit data we are providing a retention period of 365 days, with the ability to export your data. Learn more.
IntegrityZoho Assist has mechanisms that ensure a high degree of integrity to protect patient information. They include:
  • Inactive session timeout.
  • Automatic lock of the remote screen at the end of each session.
AuthenticationZoho Assist has mechanisms that ensure a high degree of integrity to protect patient information. They include:
  • Two-factor Authentication
  • Unique Session ID for each session.
  • Technicians conducting the remote support session is approved and granted access by the administrator.
  • User authentication with an email address.

Zoho Assist encrypts the ePHI data both in Transit and at Rest. 

  • Encryption in transit refers to data that is encrypted when it is in transit, including from your browser to the web server and other third parties via integrations.
  • Encryption at rest refers to data that is encrypted when it is stored (not moving), either on a disc, in a database, or some other form of media.
  • Encryption is performed at the application layer using the AES-256 algorithm which is a symmetric encryption algorithm and uses 128-bit blocks and 256-bit keys.
  • Our servers encrypt and store the screenshots and session recordings captured during Zoho Assist remote support sessions and unattended access sessions. Know more.