Is Zoho HIPAA Compliant?
Zoho is HIPAA compliant for the majority of its services, but organizations should be alert to services that are not HIPAA compliant and to integrations that may have to be disabled to prevent Protected Health Information (PHI) being disclosed to non-compliant applications. In addition, it is important to be aware that no Zoho service is HIPAA compliant by default. All Zoho HIPAA compliant services must be configured to comply with the Security Rule before they can be utilized.
Zoho is a provider of cloud services and web-based tools that can be subscribed to individually or as application packages. Most of the services and tools support HIPAA compliance inasmuch as they include capabilities that can be configured to comply with the Administrative and Technical Safeguards of the Security Rule. These services and tools can be used by organizations to create, collect, maintain, and transmit PHI once the Zoho Business Associate Agreement has been signed.
However, there are a few services and tools that do not appear to be covered by Zoho’s SOC 2 and HIPAA compliance report (i.e., Contacts, Backstage, RouteIQ, and Thrive) and it is advisable to prevent PHI being disclosed to these applications by disabling them where they are included in an application package. It may also be necessary to disable integrations with third party apps if it is not possible to prevent the transfer of PHI by restricting fields tagged as personal health data.
No Zoho Service is HIPAA Compliant by Default
Zoho states it “does not collect, use, store or maintain health information protected by HIPAA for its own purposes […] but provides certain features to help customers use Zoho [product name] in a HIPAA compliant manner.” However, in many cases, the features to support HIPAA compliance are only available in certain subscription plans. For example, organizations subscribing to the Zoho Mail service must subscribe to the Premium plan in order to access the encryption feature.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
There can also be compliance issues for organizations subscribing to a Zoho application package. For example, some services in the Zoho One package are the “standard” version of the service rather than a version of the service that supports HIPAA compliance or that supports HIPAA compliance for the entire workforce. In many cases, it may be necessary to purchase an Add-On or integrate a third party application to ensure the activity being conducted on the Zoho service is HIPAA compliant.
In addition, the processes for making Zoho HIPAA compliant are not only long-winded for an administrator with little experience of navigating Zoho’s portfolio of products, but they can also limit the effectiveness of Zoho products or raise new challenges for HIPAA compliance as the following use case demonstrates.
Use Case: Making Zoho Campaigns HIPAA Compliant
Zoho Campaigns is an email and SMS marketing platform that can be subscribed to separately or as part of the Zoho One package. While it is not necessary to make Zoho Campaigns HIPAA compliant if the platform is only going to be used for bulk mail/SMS shots for events such as flu jab reminders, using the platform for one-way communication reduces the benefits of Zoho Campaigns and limits the potential for generating leads, conducting surveys, and soliciting feedback.
In order to make Zoho Campaigns HIPAA compliant, system administrators have to create custom fields, tag them as containing personal health data, encrypt the fields, restrict access to the data by APIs, and restrict how data can be exported. Because all identifying information assumes the same protections as health information when maintained in the same designated record set, this means that every field has to be an encrypted custom field and access to every field has to be restricted.
This is naturally going to affect how Zoho Campaigns can communicate with other services, tools, and integrations – limiting the effectiveness of the Campaigns product and any other application that imports data from Zoho Campaigns. It also increases the risk of HIPAA violations for impermissible disclosures due to users erroneously entering identifying information into standard fields or taking shortcuts to export unsecured data from Zoho Campaigns to other services, tools, and integrations.
Is it Worth Making Zoho HIPAA Compliant?
Organizations who are not already familiar with Zoho’s portfolio of cloud services and web-based tools may struggle to justify the effort to make Zoho HIPAA compliant. As explained above, configuring the features to use a Zoho product in a HIPAA compliant manner can limit the benefit of the product and its interoperability with other Zoho products and third party integrations.
Because of the limitations, the steep learning curve required to make Zoho HIPAA compliant, and the risk of HIPAA violations due to impermissible disclosures organizations considering exchanging an existing product for a Zoho product are advised to take advantage of any free trials available to evaluate the product in their own environment while seeking advice from a compliance professional.
