Zoho Vault's HIPAA Compliance Guide

What is HIPAA?

The Health Insurance Portability and Accountability Act (including the Privacy Rule, Security Rule, Breach notification Rule, and Health Information Technology for Economic and Clinical Health Act) ("HIPAA"), requires Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals.

HIPAA compliance in Zoho Vault

Zoho Vault does not collect, use, store, or maintain health information protected by HIPAA for its own purposes. However, Zoho Vault provides features to help its customers use their Zoho Vault applications in a HIPAA compliant manner.

HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com

Tailor-made features for your business

Complete protection for your passwords

Safely store unlimited passwords and other sensitive data such as documents, social security number, and health care information in your Vault account. Any data you store in Zoho Vault will be encrypted with AES-256 bit encryption using your master password. This master password is unique for every user and is not stored in our servers, meaning even Zoho does not have access to your passwords.

Create a password policy

Create a customized password policy for your organization or institution with Zoho Vault. You can define or mandate constraints that must be adhered to by your users when they create a password. By enforcing a strong password policy for your employees, you can improve their overall password hygiene in your organization.

Security insights and advanced protection

Monitor password assessment scores for your entire organization from the security dashboard. Identify users with lower scores and instantly alert them to reset their outdated, old, or reused passwords. Admins can also track user actions in real time using our tamper-proof audit trails and action reports.

Transfer and acquire passwords

Transfer passwords to colleagues or to your supervisor whenever you move to different teams or leave the organization. Super admins can also forcefully acquire all business passwords from a rogue user or an employee leaving the organization.

In addition to the features mentioned above, users of Zoho Vault can further benefit from the following security controls:

Label sensitive fields as electronic protected health information (ePHI)

You can mark fields that contain health information as ePHI. To label a field as ePHI:

• Log in to your Zoho Vault account.
• Access Password Categories from the Settings tab.
• Edit existing categories to enable ePHI for existing labels. Alternatively, you can also create new categories with ePHI enabled for relevant labels.

Data encryption

All sensitive data stored in Zoho Vault is encrypted using AES-256 encryption. Zoho Vault's zero-knowledge architecture ensures that the user's master password will never be stored in Zoho's servers and that it is known only to the user. All encryption and decryption activities happen on the client's side (in the user's browser) and only the encrypted data will be stored in Zoho's servers.

Tamper-proof audits

Zoho Vault's real-time audits offer detailed insights into every action carried out in your business vault. Whenever any action is performed, admins and super admins can identity the user responsible for the action, along with the action's timestamp and the user's IP address from the Audits tab.

Privacy features

Zoho Vault's audits and labels marked as ePHI under Password Categories can be masked within Vault's interface and restricted from export. To do so:

• Log in to your account as an admin.
• Access Privacy Settings from the Settings tab.
• Under the Password Categories tab, mask fields from public view and restrict relevant labels from being exported.
• Under the Audits tab, mask sensitive fields from public view and restrict relevant labels from being exported.