Is Zoho HIPAA Compliant?

Zoho is a collection of cloud-based tools and applications developed by a Pleasanton, CA-based company since 1996. Zoho products and services include the following:

  • Zoho Mail (email)
  • Zoho CRM (a customer relationship management platform)
  • Zoho Show (presentation program)
  • Zoho Docs (document editor)
  • Zoho Sheet (spreadsheet editor)
  • Zoho Creator ( app builder)
  • Zoho Chat (live chat software)
  • Zoho Projects (project management platform)
  • Zoho Books (bookkeeping service)
  • WebNMS (IoT management platform)
  • Zoho Flow (app integration platform)

A lot of businesses employ these solutions as a substitute for Microsoft’s Office 365 and Google’s G Suite. Zoho apps could be bundled with both product collections. Is it all right for U.S. healthcare organizations to use Zoho with protected health information (PHI) as well?

Available information on the Zoho website and business associate agreements (BAA) is very little. But conversations in the Zoho community forums show that there is a Zoho HIPAA compliance program in progress for a while. Yet, until now, Zoho is not offering any service that is HIPAA compliant. As per the Zoho legal team, Zoho has met the HIPAA requirement for administrative, technical and physical safety measures, except for encryption, which HIPAA deems as an addressable requirement. Zoho encrypts security passwords but not the information saved in their servers. The software developer is still working on its feature that encrypts data at rest. Data transmission is accomplished through HTTPS.

Zoho is likewise willing to enter into a business associate agreement (BAA), but, the Security & Compliance department of Zoho states that Zoho is not yet HIPAA compliant. The services of Zoho are not particularly created to be used in the healthcare industry. Though Zoho is ISO/IEC 27001 and SOC 2 certified and is going to sign a BAA with covered entities if necessary.

In summary, Zoho does not encrypt data at rest. But HIPAA does not actually require encryption. Zoho could simply have substitute controls that provide the same degree of protection. Prior to using Zoho’s services, do a risk analysis to determine risks to ePHI availability, integrity and confidentiality. Zoho is ready to sign a BAA yet a healthcare organization’s HIPAA compliance or legal team must review it first before employing Zoho services with ePHI. Check out other options as well prior to using Zoho with ePHI.