Introduction
The Health Insurance Portability and Accountability Act (HIPAA) (including the Privacy Rule, Security Rule, and Breach Notification Rule) and the Health Information Technology for Economic and Clinical Health Act (HITECH), requires covered entities and business associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals. Zoho does not collect, use, store or maintain health information protected by HIPAA for its own purposes. However, Zoho Webinar provides certain features (as described below) to help its customers use Zoho Webinar in a HIPAA-compliant manner.
HIPAA requires covered entities to sign a Business Associate Agreement (BAA) with its business associates. You can request our BAA template by sending an email to legal@zohocorp.com.
HIPAA compliance in Zoho Webinar
Using webinar software to facilitate communication, education, training, workshops, and collaboration among healthcare professionals, patients, and other stakeholders helps the healthcare industry increase accessibility and convenience of care. However, because these activities involve transferring patient data over the internet, webinar software must ensure that data in transit cannot be intercepted.
How does Zoho Webinar help healthcare organizations comply with HIPAA?
Zoho Webinar includes a number of safeguards to help healthcare organizations comply with HIPAA requirements, such as the following:
Access control
Ensure that only authorized individuals can access hardware containing health information.
- There are different access levels for admins and users.
- Organizers and attendees must give consent before using webinar features like screen sharing, audio (speaker and microphone), video, and Allow to Talk.
- Only the organizer can record a session, and all webinar attendees will see a notification when the session is being recorded.
- Only the organizer and admin have access to edit the session and view the webinar details in the analytics.
- Unique email IDs can be used to track user identity.
Healthcare organizations must employ a mechanism for encrypting and decrypting electronic protected health information (ePHI).
- The patient’s name and email ID, the webinar title and description, and session recordings are all considered ePHI and are encrypted in Zoho Webinar.
- Encrypting ePHI prevents unauthorized access to confidential data.
- Zoho Webinar uses one of the strongest and most robust ciphers to keep your data secure. Learn more
- All data including ePHI are encrypted in transit to prevent unauthorized access on the network.
Audit controls
Healthcare organizations must be able to record and examine the activities of the information systems.
- All webinar sessions initiated by the organization can be recorded for auditing purposes.
- The patient name and email ID can be tracked in Analytics. These data points will be exposed only to authorized admins and webinar organizers.
- Analyze every webinar your organization initiates with Analytics, Action Log Viewer, and Recordings.
- Keep track of all activities in your organization with the Action Log Viewer. This includes:
- The session details, such as topic and description
- Recording access management details
- Org users who have exported webinar analytics
- Org users who have viewed/downloaded recordings online
Authentication
Verify that the person logging in or joining the webinar is who they claim to be.
- Require two-factor authentication for organizers.
- Provide a unique link for each webinar attendee.
- The organizer of the webinar must be a member of the organization, and the organization's administrator must approve and grant access.
1. Currently the Patient Name, Patient Email ID, Webinar title, Webinar Description and Recording Data are considered ePHI and are encrypted in Zoho Webinar.
2. Any modifications in the ePHI can be tracked in the Action Log Viewer.