Is Zapier HIPAA Compliant?
Zapier is a cloud-based task automation platform, but as with other such platforms, there is a question is Zapier HIPAA compliant. Zapier connects other applications together to streamline the automation of repetitive tasks. This allows efficient workflows, easing administrative tasks. This is particularly attractive in busy healthcare settings, but all organizations (healthcare providers, clearinghouses, or health plans) that may be subject to HIPAA (“covered entities”, or CEs) must ensure that Zapier can be used in a HIPAA-compliant manner.
There are a few considerations for software to be deemed HIPAA compliant. The software must ensure that any electronic Protected Health Information (ePHI) uploaded to the platform (be it only temporarily or for storage) can be hosted in accordance with the HIPAA Security Rule. This rule stipulates the minimum safeguards needed to maintain the confidentiality, integrity, and availability of PHI. Zapier has several security features that help achieve these minimum standards. For example, the software supports two-factor authentication and has 256-bit AES encryption.
Zapier also offers account and access controls, which help preserve the confidentiality of data. It also helps the platform achieve the stipulations of the HIPAA Privacy Rule, which lays out who can access PHI. Zapier also collects logs of its use, which are needed for HIPAA compliance.
However, even though each of these factors is necessary for Zapier to be HIPAA compliant, they are not sufficient. Any HIPAA CE that wishes to contract a third party (business associate, BA) – or any BA that wishes to contract another BA – must enter a business associate agreement (BAA) with that third party. This will stipulate how the PHI will be used, what protections will be in place, and what will happen in the event of a HIPAA violation, amongst other things.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
It is the responsibility of the CE to ensure that the appropriate BAA is acquired. Otherwise, the use of the service for any HIPAA-covered transaction would be a HIPAA violation. HIPAA violations – even if no breach of PHI occurs – can incur financial or, if severe enough, legal penalties.
Unfortunately, Zapier will not enter BAAs with CEs. It explicitly states on its website:
“The use of regulated healthcare and medical data like HIPAA is not supported on Zapier. Zapier also can’t sign business associate agreements (BAAs) or equivalent agreements for handling protected health information (PHI) or other similar information.”
CEs must ensure, therefore, that if Zapier software is being used, it is never used for creating, receiving, maintaining, or transmitting ePHI.