HIPAA Compliance
HIPAA, the Healthcare Insurance Portability and Accountability Act, is a US federal law initiated in 1996 to ensure protection of an individual's Personal Health Information (PHI).
As more healthcare organizations have started to use CRM to run their business smoothly and store customer information in a shared database, it is crucial that they can ensure the confidentiality of an individual's health information. In Zoho CRM, we provide ways for healthcare organizations to secure and restrict export of individuals' health information and stay compliant with the HIPAA guidelines.
Organization API
A new key hipaa_compliance_enabled is added in the Organization API. The data type of this field is boolean, i.e true/false. This key is also retrieved in Fields Metadata and Layouts Metadata API, which represents if the field or layout stores personal health data or not.
Sample Request: To get Organization Data
Copiedcurl "https://www.zohoapis.com/crm/v5/org"
-X GET
-H "Authorization: Zoho-oauthtoken 1000.8cb99dxxxxxxxxxxxxx9be93.9b8xxxxxxxxxxxxxxxf"
Note:
- If hipaa_compliance_enabled=true, HIPAA Compliance is enabled for the Org.
- If hipaa_compliance_enabled=false, HIPAA Compliance is disabled.
Sample Response
Copied{
"org": [
{
"country": "US",
"photo_id": null,
"city": null,
"description": null,
"mc_status": true,
"gapps_enabled": false,
"domain_name": "org55528254",
"translation_enabled": false,
"street": null,
"alias": null,
"currency": "Indian Rupee",
"id": "111111000000033001",
"state": null,
"fax": null,
"employee_count": null,
"zip": null,
"website": "www.zylker.com",
"currency_symbol": "₹",
"mobile": null,
"currency_locale": "en_IN",
"primary_zuid": "55528367",
"zia_portal_id": "59075125",
"time_zone": "Asia/Calcutta",
"zgid": "55528254",
"country_code": "IN",
"license_details": {
"paid_expiry": null,
"users_license_purchased": 3,
"trial_type": "professional",
"trial_expiry": "2018-05-17T17:20:05+05:30",
"paid": false,
"paid_type": "free"
},
"phone": "7867984524",
"company_name": "Zylker",
"privacy_settings": true,
"primary_email": "p.boyle@zylker.com",
"hipaa_compliance_enabled": true,
"iso_code": "INR"
}
]
}
Fields Metadata API
A new field in CRM named hipaa_compliance is introduced. The JSON object represents if Contains Personal Health Data option is enabled for a particular field.
Sample Request
Copiedcurl "https://www.zohoapis.com/crm/v5/settings/fields?module=Contacts"
-X GET
-H "Authorization: Zoho-oauthtoken 1000.8cb99dxxxxxxxxxxxxx9be93.9b8xxxxxxxxxxxxxxxf"
The boolean keys in the JSON object:
- restricted_in_export: Represents if the data export is restricted for the field. The value is true if Restrict Data in Export option is enabled in the HIPAA compliance settings.
- restricted: Represents if the field can be accessed via API. The value is true if Restrict Data access through API option is enabled in the HIPAA compliance settings.
This key is retrieved in Layouts Metadata API as well.
Sample Response
Copied{
"system_mandatory": false,
"private": null,
"webhook": true,
"json_type": "string",
"crypt": null,
"field_label": "Status",
"tooltip": null,
"created_source": "default",
"field_read_only": false,
"display_label": "Status",
"ui_type": 1,
"read_only": false,
"association_details": null,
"businesscard_supported": false,
"currency": {},
"id": "492070000007480002",
"custom_field": true,
"lookup": {},
"hipaa_compliance": {
"restricted_in_export": true,
"restricted": false
},
"visible": true,
"length": 255,
"view_type": {
"view": true,
"edit": true,
"quick_create": false,
"create": true
},
"subform": null,
"external": null,
"api_name": "Status",
"unique": {},
"history_tracking": false,
"data_type": "text",
"formula": {},
"hipaa_compliance_enabled": true,
"decimal_place": null,
"mass_update": true,
"multiselectlookup": {},
"pick_list_values": [],
"auto_number": {}
}
Get Records API
The value for the fields with sensitive health data will be retrieved only when Restrict Data access through API option in the compliance settings is disabled. If the option is enabled, the value for the HIPAA compliance field will be null.
Sample Request
Copiedcurl "https://www.zohoapis.com/crm/v5/Contacts/492070000007480017"
-X GET
-H "Authorization: Zoho-oauthtoken 1000.8cb99dxxxxxxxxxxxxx9be93.9b8xxxxxxxxxxxxxxxf"
The same applies to Get Specific Record API, Get Related Records API, Search Records API, and Get Records through a COQL query.
Sample Response
Copied{
"data": [
{
"Owner": {
"name": "Patricia Boyle",
"id": "492070000000209017",
"email": "patricia.b@zohocorp.com"
},
"Email": null,
"$currency_symbol": "AR$",
"Visitor_Score": null,
"Other_Phone": null,
"Field_With_Health_Data": "*Sensitive Health Data*",
"Mailing_State": null,
"Other_State": null,
"$followers": null,
"Other_Country": null,
"Last_Activity_Time": null,
"Department": null,
"$state": "save",
"Unsubscribed_Mode": null,
"$process_flow": false,
"Assistant": null,
"Exchange_Rate": 15,
"Currency": "ARS",
"Mailing_Country": null,
"Data_Processing_Basis_Details": null,
"id": "492070000007480017",
"Data_Source": "Manual",
"$approved": true,
"Reporting_To": null,
"$approval": {
"delegate": false,
"approve": false,
"reject": false,
"resubmit": false
},
"First_Visited_URL": null,
"Days_Visited": null,
"Account_Site_2": null,
"Other_City": null,
"$data_source_details": null,
"Created_Time": "2021-03-15T16:15:18+05:30",
"$followed": false,
"$editable": true,
"Home_Phone": null,
"Last_Visited_Time": null,
"Created_By": {
"name": "Patricia Boyle",
"id": "492070000000209017",
"email": "patricia.b@zohocorp.com"
},
"Secondary_Email": null,
"Description": null,
"Vendor_Name": {
"name": "v2",
"id": "492070000007348082"
},
"Mailing_Zip": null,
"Reports_To": null,
"Number_Of_Chats": null,
"$review_process": {
"approve": false,
"reject": false,
"resubmit": false
},
"Twitter": null,
"Other_Zip": null,
"Mailing_Street": null,
"Average_Time_Spent_Minutes": null,
"$canvas_id": null,
"Salutation": null,
"Account_Number_1": null,
"First_Name": "Patricia",
"Full_Name": "Patricia Boyle",
"Asst_Phone": null,
"Record_Image": null,
"Modified_By": {
"name": "Patricia Boyle",
"id": "492070000000209017",
"email": "patricia.b@zohocorp.com"
},
"$review": null,
"Skype_ID": null,
"Phone": null,
"Account_Name": null,
"Email_Opt_Out": false,
"Modified_Time": "2021-03-15T16:15:18+05:30",
"Date_of_Birth": null,
"Mailing_City": null,
"Pick_List_1": null,
"Unsubscribed_Time": null,
"Title": null,
"Other_Street": null,
"Mobile": null,
"Territories": null,
"$orchestration": false,
"$stop_processing": false,
"First_Visited_Time": null,
"Last_Name": "Boyle",
"$in_merge": false,
"Referrer": null,
"Lead_Source": "Advertisement",
"Tag": [],
"Fax": null,
"$approval_state": "approved"
}
]
}
Search Records API
When you add a HIPAA compliance field to the search API criteria, the response will be retrieved only if the Restrict Data access through API option in the compliance settings is disabled. Otherwise, the system throws the INVALID_QUERY error. For further details, see the sample error response in the code pane.
Sample Error Response
Copied{
"code": "INVALID_QUERY",
"details": {
"reason": "Cannot use the restricted field.",
"api_name": "HIPAA"
},
"message": "the field in restricted in GDPR",
"status": "error"
}
Bulk Read API
The value for the fields with sensitive health data will be retrieved only when Restrict Data access through API option in the compliance settings is disabled. If the option is enabled, the value for the HIPAA compliance field will be empty in the result.
Sample Request
Copiedcurl "https://www.zohoapis.com/crm/bulk/v4/read/554023000000568002/result"
-X GET
-H "Authorization: Zoho-oauthtoken 1000.8cb99dxxxxxxxxxxxxx9be93.9b8xxxxxxxxxxxxxxxf"