The Health Insurance Portability and Accountability Act, HIPAA (including the Privacy Rule, Security Rule, Breach Notification Rule, and Health Information Technology for Economic and Clinical Health Act), requires Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals.
Zoho does not collect, use, store or maintain health information protected by HIPAA for its own purposes. However, Zoho Calendar provides certain features (as described below) to help its customers use calendars in a HIPAA compliant manner.
HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with their Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com.
Textual data such as calendar name, calendar description, event title, event description and location, when entered in Zoho Calendar, is considered electronic protected health information (ePHI) data when it references a patient or their medical records.
Zoho Calendar provides the following features and controls that allow administrators to implement a HIPAA-compliant calendar service for their organization.
User roles and permissions
Zoho Calendar offers role-based access to the administration panel. The Super Administrator role is exclusive and can only be designated to one user. Additionally, only the Super Administrator holds the authority to assign the administrator role to other members within the organization.
Administrators possess rights to set up policies for creating events, sending invitations, allowing users to share or subscribe or import calendars, and much more. However, the users will not hold access to the Admin Console nor the permission to view or access administrator’s functions. Refer here for more details on the roles and privileges.
Security controls
Zoho Calendar provides the administrators with a stronghold over the security policies of the organization. The administrator can enforce and customize the following policies to suit their organization's compliance requirements:
Encryption
The service data stored in Zoho Calendar is encrypted at rest and in transit. The highly secure physical controls at data centres and transit level encryption ensure that your data stays well protected. To know more about encryption, please refer Zoho's Encryption Whitepaper.
Calendar/Event Deletion
Zoho Calendar provides appropriate features in the web interface to allow users to delete their data. They can delete an event or remove a calendar. Please note that the Group/ App/ Subscribed Calendars cannot be deleted. However, they can be unsubscribed to stop receiving any updates. Additionally, users possess the rights to remove themselves from an event using the Remove me option.
Audit trail
Zoho Calendar provides audit logs to record both administrator and user activities from the Admin Panel. The audit logs are available for a period of one year. The administrator can get the user's activities on calendars and events from the past year through Zoho Calendar Admin Console.
Data retention
Administrators can export data from the last six months for both active and inactive users. It can be exported as zip files containing the calendar files in ICS format from Zoho Calendar Admin Console.
Modification of Terms of Use
Zoho reserves the right to modify the Terms. Modifications to the Terms are effective upon your use of Zoho Calendar subsequent to publication of such modification.
Disclaimer: The content presented here is not to be construed as legal advice. This is a guideline on how Zoho Calendar provides control to the organizations to be HIPAA compliant. Please contact your legal advisor to know how HIPAA is applicable and how it impacts your organization and the processes involved to be HIPAA compliant.