The Health Insurance Portability and Accountability Act (including the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act) ("HIPAA"), requires Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals. Zoho does not collect, use, store or maintain health information protected by HIPAA for its own purposes. However, Zoho Marketing Automation provides certain features (as described below) to help its customers use Zoho Marketing Automation in a HIPAA compliant manner.
HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com.
Zoho Mail provides the following features and controls that allow administrators to implement a HIPAA-compliant email service for their organization.
Marking ePHI fields
Using Zoho Marketing Automation, you can identify and label custom fields containing ePHI, which can help you apply relevant controls, like who can access and audit the information contained in the fields, as well as functions like encryption, anonymization, and more.
Restricting ePHI transfer
Once you enable HIPAA compliance in the settings window, you will be presented with options to restrict data transfer. There are two options for restricting personal data from being accessed outside Zoho Marketing Automation, either of which can be enabled depending on the org's requirements:
- Restrict data access through API
- Restrict data export
Auditing operations involving ePHI
All operations involving ePHI fields are recorded in the audit trail. You can access audit logs to keep tabs on alterations, exports, or any other activities performed with regards to the fields marked as ePHI. You can view the recorded logs for a period of up to six months.