HIPAA Compliance with Zoho TeamInbox
The Health Insurance Portability and Accountability Act, HIPAA (including the Privacy Rule, Security Rule, Breach Notification Rule, and Health Information Technology for Economic and Clinical Health Act), requires Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals. Zoho does not collect, use, store or maintain health information protected by HIPAA for its own purposes. However, Zoho TeamInbox provides features to help its customers use the shared workspace within the premises of HIPAA compliance.
HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com.
Zoho TeamInbox provides the following features and controls that allow administrators to implement a HIPAA-compliant service for their organization.
Encryption of ePHI
Emails are encrypted at transit using the Transport Layer Security (TLS) protocol for IMAP/POP/SMTP communication. Emails at rest stored in Zoho servers are also encrypted. Besides the default encryption, the administrator can opt for an additional layer of encryption via S/MIME support which uses SSL certificate-based encryption.
User roles and permissions
Zoho TeamInbox provides role-based access to all accounts. Admin, Moderator and Member roles can be assigned to users to manage their create, view, edit and delete permission on entities like teams, inboxes, reports and audit log.
User roles and permissions can also be defined for individual inboxes instead of giving everyone access to all the emails.
Email deletion
Zoho TeamInbox provides appropriate features in the web interface to allow users to delete their data. The users can delete their email data using the Trash option. The thrash folder will be cleared once every 30 days.
When the admins delete the user accounts, the data associated with the user will be scheduled for deletion and will be deleted within 30 days of actual user deletion.
Two factor authentication
Secure your Zoho TeamInbox account from unauthorized access with two-factor authentication. You can use the Zoho OneAuth application, Touch ID, or even send codes to yourself as an extra layer of defence during login.
Activity log
Zoho TeamInbox records every activity as audit logs, and they are retained as long as the users' accounts are maintained. Users' email logs are also stored and retained as long as the account is maintained. Only an organization admin or a moderator can view organization audits and track the activities performed by users.
Email authentication protocols
Emails carry crucial information that is specific to your users. In order to ensure the protection of these emails, we have iron-clad verification and monitoring procedures in place. Every domain added in Zoho TeamInbox for email sending has to be verified. Domains are verified in using SPF ( Sender Policy Framework), and DKIM ( DomainKeys Identified Mail).
Access of third party subcontractors
ePHI data is not shared with any third party subcontractors.
Modification of Terms of Use
Zoho reserves the right to modify the Terms. Modifications to the Terms are effective upon your use of Zoho TeamInbox subsequent to the publication of such modification. Disclaimer: The content presented here is not to be construed as legal advice. This is a guideline on how Zoho TeamInbox provides control to organizations to be HIPAA compliant. Please contact your legal advisor to know how HIPAA is applicable and how it impacts your organization and the processes involved to be HIPAA compliant.
Disclaimer: The content presented here is not to be construed as legal advice. This is a guideline on how Zoho TeamInbox provides control to the organizations to be HIPAA compliant. Please contact your legal advisor to know how HIPAA is applicable and how it impacts your organization and the processes involved to be HIPAA compliant.