The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Is Zapier HIPAA Compliant?

Posted By on Feb 17, 2019

Zapier is a cloud-based task automation platform, but as with other such platforms, there is a question is Zapier HIPAA compliant. Zapier connects other applications together to streamline the automation of repetitive tasks. This allows efficient workflows, easing administrative tasks. This is particularly attractive in busy healthcare settings, but all organizations (healthcare providers, clearinghouses, or health plans) that may be subject to HIPAA (“covered entities”, or CEs) must ensure that Zapier can be used in a HIPAA-compliant manner.

There are a few considerations for software to be deemed HIPAA compliant. The software must ensure that any electronic Protected Health Information (ePHI) uploaded to the platform (be it only temporarily or for storage) can be hosted in accordance with the HIPAA Security Rule. This rule stipulates the minimum safeguards needed to maintain the confidentiality, integrity, and availability of PHI. Zapier has several security features that help achieve these minimum standards. For example, the software supports two-factor authentication and has 256-bit AES encryption.

Zapier also offers account and access controls, which help preserve the confidentiality of data. It also helps the platform achieve the stipulations of the HIPAA Privacy Rule, which lays out who can access PHI. Zapier also collects logs of its use, which are needed for HIPAA compliance.

However, even though each of these factors is necessary for Zapier to be HIPAA compliant, they are not sufficient. Any HIPAA CE that wishes to contract a third party (business associate, BA) – or any BA that wishes to contract another BA – must enter a business associate agreement (BAA) with that third party. This will stipulate how the PHI will be used, what protections will be in place, and what will happen in the event of a HIPAA violation, amongst other things.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

It is the responsibility of the CE to ensure that the appropriate BAA is acquired. Otherwise, the use of the service for any HIPAA-covered transaction would be a HIPAA violation. HIPAA violations – even if no breach of PHI occurs – can incur financial or, if severe enough, legal penalties.

Unfortunately, Zapier will not enter BAAs with CEs. It explicitly states on its website:

“The use of regulated healthcare and medical data like HIPAA is not supported on Zapier. Zapier also can’t sign business associate agreements (BAAs) or equivalent agreements for handling protected health information (PHI) or other similar information.”

CEs must ensure, therefore, that if Zapier software is being used, it is never used for creating, receiving, maintaining, or transmitting ePHI.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist