HIPAA Compliance

HIPAA, the Healthcare Insurance Portability and Accountability Act, is a US federal law initiated in 1996 to ensure protection of an individual's Personal Health Information (PHI).

As more healthcare organizations have started to use CRM to run their business smoothly and store customer information in a shared database, it is crucial that they can ensure the confidentiality of an individual's health information. In Zoho CRM, we provide ways for healthcare organizations to secure and restrict export of individuals' health information and stay compliant with the HIPAA guidelines.

Organization API

A new key hipaa_compliance_enabled is added in the Organization API. The data type of this field is boolean, i.e true/false. This key is also retrieved in Fields Metadata and Layouts Metadata API, which represents if the field or layout stores personal health data or not.

Sample Request: To get Organization Data

Copiedcurl "https://www.zohoapis.com/crm/v2/org"
-X GET
-H "Authorization: Zoho-oauthtoken 1000.8cb99dxxxxxxxxxxxxx9be93.9b8xxxxxxxxxxxxxxxf"
Note:
  • If hipaa_compliance_enabled=true, HIPAA Compliance is enabled for the Org.

  • If hipaa_compliance_enabled=false, HIPAA Compliance is disabled.

Sample Response

Copied{
  "org": [
    {
      "country": "US",
      "photo_id": null,
      "city": null,
      "description": null,
      "mc_status": true,
      "gapps_enabled": false,
      "domain_name": "org55528254",
      "translation_enabled": false,
      "street": null,
      "alias": null,
      "currency": "Indian Rupee",
      "id": "111111000000033001",
      "state": null,
      "fax": null,
      "employee_count": null,
      "zip": null,
      "website": "www.zylker.com",
      "currency_symbol": "₹",
      "mobile": null,
      "currency_locale": "en_IN",
      "primary_zuid": "55528367",
      "zia_portal_id": "59075125",
      "time_zone": "Asia/Calcutta",
      "zgid": "55528254",
      "country_code": "IN",
      "license_details": {
        "paid_expiry": null,
        "users_license_purchased": 3,
        "trial_type": "professional",
        "trial_expiry": "2018-05-17T17:20:05+05:30",
        "paid": false,
        "paid_type": "free"
      },
      "phone": "7867984524",
      "company_name": "Zylker",
      "privacy_settings": true,
      "primary_email": "p.boyle@zylker.com",
      "hipaa_compliance_enabled": true,
      "iso_code": "INR"
    }
  ]
}

Fields Metadata API

A new field in CRM named hipaa_compliance is introduced. The JSON object represents if Contains Personal Health Data option is enabled for a particular field.

Sample Request

Copiedcurl "https://www.zohoapis.com/crm/v2/settings/fields?module=Contacts"
-X GET
-H "Authorization: Zoho-oauthtoken 1000.8cb99dxxxxxxxxxxxxx9be93.9b8xxxxxxxxxxxxxxxf"

The boolean keys in the JSON object:

  • restricted_in_export: Represents if the data export is restricted for the field. The value is true if Restrict Data in Export option is enabled in the HIPAA compliance settings.

  • restricted: Represents if the field can be accessed via API. The value is true if Restrict Data access through API option is enabled in the HIPAA compliance settings.

This key is retrieved in Layouts Metadata API as well.

Sample Response

Copied{
  "system_mandatory": false,
  "private": null,
  "webhook": true,
  "json_type": "string",
  "crypt": null,
  "field_label": "Status",
  "tooltip": null,
  "created_source": "default",
  "field_read_only": false,
  "display_label": "Status",
  "ui_type": 1,
  "read_only": false,
  "association_details": null,
  "businesscard_supported": false,
  "currency": {},
  "id": "492070000007480002",
  "custom_field": true,
  "lookup": {},
  "hipaa_compliance": {
    "restricted_in_export": true,
    "restricted": false
  },
  "visible": true,
  "length": 255,
  "view_type": {
    "view": true,
    "edit": true,
    "quick_create": false,
    "create": true
  },
  "subform": null,
  "external": null,
  "api_name": "Status",
  "unique": {},
  "history_tracking": false,
  "data_type": "text",
  "formula": {},
  "hipaa_compliance_enabled": true,
  "decimal_place": null,
  "mass_update": true,
  "multiselectlookup": {},
  "pick_list_values": [],
  "auto_number": {}
}

Get Records API

The value of the fields with sensitive health data will be retrieved only when Restrict Data access through API option in the compliance settings is disabled. If the option is enabled, the value will be null.

Sample Request

Copiedcurl "https://www.zohoapis.com/crm/v2/Contacts/492070000007480017"
-X GET
-H "Authorization: Zoho-oauthtoken 1000.8cb99dxxxxxxxxxxxxx9be93.9b8xxxxxxxxxxxxxxxf"

Sample Response

Copied{
  "data": [
    {
      "Owner": {
        "name": "Patricia Boyle",
        "id": "492070000000209017",
        "email": "patricia.b@zohocorp.com"
      },
      "Email": null,
      "$currency_symbol": "AR$",
      "Visitor_Score": null,
      "Other_Phone": null,
      "Field_With_Health_Data": "*Sensitive Health Data*",
      "Mailing_State": null,
      "Other_State": null,
      "$followers": null,
      "Other_Country": null,
      "Last_Activity_Time": null,
      "Department": null,
      "$state": "save",
      "Unsubscribed_Mode": null,
      "$process_flow": false,
      "Assistant": null,
      "Exchange_Rate": 15,
      "Currency": "ARS",
      "Mailing_Country": null,
      "Data_Processing_Basis_Details": null,
      "id": "492070000007480017",
      "Data_Source": "Manual",
      "$approved": true,
      "Reporting_To": null,
      "$approval": {
        "delegate": false,
        "approve": false,
        "reject": false,
        "resubmit": false
      },
      "First_Visited_URL": null,
      "Days_Visited": null,
      "Account_Site_2": null,
      "Other_City": null,
      "$data_source_details": null,
      "Created_Time": "2021-03-15T16:15:18+05:30",
      "$followed": false,
      "$editable": true,
      "Home_Phone": null,
      "Last_Visited_Time": null,
      "Created_By": {
        "name": "Patricia Boyle",
        "id": "492070000000209017",
        "email": "patricia.b@zohocorp.com"
      },
      "Secondary_Email": null,
      "Description": null,
      "Vendor_Name": {
        "name": "v2",
        "id": "492070000007348082"
      },
      "Mailing_Zip": null,
      "Reports_To": null,
      "Number_Of_Chats": null,
      "$review_process": {
        "approve": false,
        "reject": false,
        "resubmit": false
      },
      "Twitter": null,
      "Other_Zip": null,
      "Mailing_Street": null,
      "Average_Time_Spent_Minutes": null,
      "$canvas_id": null,
      "Salutation": null,
      "Account_Number_1": null,
      "First_Name": "Patricia",
      "Full_Name": "Patricia Boyle",
      "Asst_Phone": null,
      "Record_Image": null,
      "Modified_By": {
        "name": "Patricia Boyle",
        "id": "492070000000209017",
        "email": "patricia.b@zohocorp.com"
      },
      "$review": null,
      "Skype_ID": null,
      "Phone": null,
      "Account_Name": null,
      "Email_Opt_Out": false,
      "Modified_Time": "2021-03-15T16:15:18+05:30",
      "Date_of_Birth": null,
      "Mailing_City": null,
      "Pick_List_1": null,
      "Unsubscribed_Time": null,
      "Title": null,
      "Other_Street": null,
      "Mobile": null,
      "Territories": null,
      "$orchestration": false,
      "$stop_processing": false,
      "First_Visited_Time": null,
      "Last_Name": "Boyle",
      "$in_merge": false,
      "Referrer": null,
      "Lead_Source": "Advertisement",
      "Tag": [],
      "Fax": null,
      "$approval_state": "approved"
    }
  ]
}

Search Records API

When you add a HIPAA compliance field to the search API criteria, the response will be retrieved only if the Restrict Data access through API option in the compliance settings is disabled. Otherwise, the system throws the INVALID_QUERY error. For further details, see the sample error response in the code pane.

Sample Error Response

Copied{
    "code": "INVALID_QUERY",
    "details": {
        "reason": "Cannot use the restricted field.",
        "api_name": "HIPAA"
    },
    "message": "the field in restricted in GDPR",
    "status": "error"
}

Bulk Read API

The value of the fields with sensitive health data will be retrieved only when Restrict Data access through API option in the compliance settings is disabled. If the option is enabled, the value will be empty in the result.

hipaa field with empty values

Sample Request

Copiedcurl "https://www.zohoapis.com/crm/bulk/v2/read/554023000000568002/result"
-X GET
-H "Authorization: Zoho-oauthtoken 1000.8cb99dxxxxxxxxxxxxx9be93.9b8xxxxxxxxxxxxxxxf"