Introduction

The Health Insurance Portability and Accountability Act (including the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act) ("HIPAA"), requires Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals. Zoho does not collect, use, store or maintain health information protected by HIPAA for its own purposes. However, Zoho Meeting provides certain features (as described below) to help its customers use Zoho Meeting in a HIPAA compliant manner.

HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com.

HIPAA Compliance in Zoho Meeting

The use of web conferencing software—from monitoring a patient's health virtually to managing special medical devices—has greatly helped the healthcare industry increase accessibility and convenience of care. However, because these activities involve transferring patient data over the Internet, web conferencing software must ensure data in transit cannot be intercepted.

How does Zoho Meeting help healthcare organizations comply with HIPAA?

Zoho Meeting includes a number of safeguards to help healthcare organizations comply with HIPAA requirements. Here are the ways Zoho Meeting will help your organization to achieve HIPAA compliance:

Access Control

Ensure that machines containing health information are accessed only by authorized individuals.
  • Different access levels for admins and users.
  • Consent of presenter and participant is required for multiple meeting/webinar features like screen sharing, audio (speaker & microphone), video, and Allow to Talk.
  • Only the host can record a session, and all meeting participants will see a notification when the session is being recorded.
  • Only the host and admin have access to edit the session and view the webinar details in the analytics.
  • Unique email IDs can be used to track user identity.
Must employ a mechanism for encrypting and decrypting electronic protected health information (ePHI).
  • Patient Name, Patient Email ID, Meeting Agenda, Webinar Description and Session Recordings are considered ePHI and are encrypted in Zoho Meeting.
  • Encrypting ePHI prevents unauthorized access to confidential data.
  • Zoho Meeting uses one of the strongest and most robust ciphers, AES (Advanced Encryption Standard), to encrypt sensitive data and AES-256 to secure data stored on our servers.
  • Encryption ensures data protection during transit and anonymity of customer information in case of a breach.

Audit Controls

Must be able to record and examine the activities of the information systems.
  • All meeting/webinar sessions initiated by the organization can be recorded for auditing purposes.
  • Patient Name and Patient Email ID can be tracked in Analytics. Both Patient Name and Patient Email ID will be exposed only to authorized admins and organizers of the webinar.
  • Analyze every meeting/webinar initiated by your organization with Analytics, Action Log Viewer, and Recordings.
  • Keep track of all activities in your organization with the Action Log Viewer. This includes:
    • The session details such as topic, description, agenda
    • Recording access and download details
    • Users who have exported webinar analytics
    • Users who have viewed/downloaded recordings online

Integrity

Protect patient health information from being altered or deleted.

Zoho Meeting offers multiple mechanisms to ensure a high degree of integrity to protect patient information. These include:

  • Consent is required from users for connecting to speaker, microphone, and video before joining a meeting/webinar.
  • The patient's name and email address entered by them during the meeting/webinar will be encrypted.
  • Meeting Agenda, Webinar Description and Recording Data are encrypted in Zoho Meeting.
  • Periodic anonymization of ePHI data is opted for organization, which will be replaced by the original Patient Name and Patient Email ID.

Authentication

Verify that the person logging in or joining the meeting is the person they claim to be.
  • Two-factor authentication.
  • Unique key for each meeting/webinar.
  • The host of the meeting/webinar must be a member of the host organization and must be approved and granted access by the organization's administrator.
Note :

1. Currently the Patient Name, Patient Email ID, Meeting Agenda, Webinar Description and Recording Data are considered ePHI and are encrypted in Zoho Meeting.

2. Any modifications in the ePHI can be tracked in the Action Log Viewer.

Other security practices followed by Zoho Meeting

In Zoho Meeting, all transmissions take place through SSL/128-bit AES encryption protocols, which is the industry standard security practice. All data that users share is completely encrypted and saved securely. Refer to Security and Privacy in online sessions to learn more.