Share this article on:
Many healthcare organizations would like to use Zoho tools and applications, but is Zoho HIPAA compliant? Can its tools and applications be used by U.S. healthcare organizations in conjunction with protected health information? In this post we explore whether Zoho supports HIPAA compliance for any of its cloud-based services.
What is Zoho?
Zoho is a Pleasanton, CA-based developer of cloud applications and web-based tools that includes email (Zoho Mail), a document editor (Zoho Docs), a customer relationship management platform (Zoho CRM), a spreadsheet editor (Zoho Sheet), a presentation editor (Zoho Show), a custom application builder (Zoho Creator), a project management platform (Zoho projects), live chat software (Zoho Chat), a bookkeeping service (Zoho Books), app integration platform (Zoho Flow), and an IoT management platform (WebNMS).
The company is focused on providing innovative cloud-based solutions for businesses and has been developing applications since 1996. Many of its solutions are broadly comparable to those provided by Google (G Suite) and Microsoft (Office 365). Its apps have been developed to integrate with both suites of products.
Can HIPAA-Covered Entities Obtain a Zoho Business Associate Agreement?
There has been considerable interest in Zoho from healthcare organizations in the United States who are keen to use its cloud-based services, although there is little information about business associate agreements on the Zoho website. Zoho forums suggest a Zoho HIPAA compliance program has been in development for some time, but as of yet, a Zoho HIPAA compliant service is not being offered.
We have contacted Zoho for clarification on business associate agreements and the current state of the Zoho HIPAA compliance program. The response from the Zoho legal team was “We believe that we meet the administrative, physical and technical safeguards as required by HIPAA, with the exception of encryption, which is an ‘addressable’ requirement under HIPAA. While we do encrypt passwords, we do not encrypt data stored on our servers. The work on Encryption-At-Rest is underway. Data transmission is done via HTTPS.”
The company also said it would be willing to sign a Business Associate Agreement, “with the caveat that we don’t encrypt data ‘at rest’ on our servers.” However, a response from the Security & Compliance department said “Zoho is not HIPAA compliant.”
Is Zoho HIPAA Compliant?
Zoho services have not been specifically developed for the healthcare industry in the United States, although the company does comply with ISO/IEC 27001 and SOC 2 for security and will sign a business associate with HIPAA-covered entities.
So, is Zoho HIPAA compliant? At present, Zoho does not encrypt data at rest. Encryption is not a ‘required’ element of HIPAA, but alternative controls must be used in its place that offer a similar level of protection. Before Zoho could be used, it must be subjected to a risk assessment, and the risks to the confidentiality, integrity, and availability of ePHI should be carefully considered. The business associate agreement should be assessed by your compliance team/legal department, and a signed copy obtained from Zoho. Only then could the platform be considered for use with any ePHI. Our advice would be to fully investigate all other alternatives before making any decision about Zoho products and services.