Zoho is a set of cloud-based applications, comparable to Google’s G Suite and Microsoft’s Office 365. Zoho tools include email, a customer relationship management tool, document editor, presentation editor, spreadsheet editor, project management platform, custom application builder, live chat software, app integration platform, bookkeeping service, and IoT management platform. Healthcare organizations often look to Zoho when deciding which cloud-based application platform to use. That begs the question, is Zoho HIPAA compliant?
Zoho HIPAA Business Associate Agreement
Before working with a vendor, covered entities must have a signed business associate agreement (BAA) with the vendor. A BAA mandates that each party signing agrees to be HIPAA compliant. Many larger corporations have BAA’s available on their websites, however, Zoho does not. Although Zoho does not have a BAA on their site, they are willing to sign one provided the other party understands that data stored on their server is not encrypted. Zoho’s legal team stated, “We believe that we meet the administrative, physical and technical safeguards as required by HIPAA, with the exception of encryption, which is an ‘addressable’ requirement under HIPAA. While we do encrypt passwords, we do not encrypt data stored on our servers. The work on Encryption-At-Rest is underway. Data transmission is done via HTTPS.”
The Health Insurance Portability and Accountability Act (HIPAA) does not specifically mandate that data is encrypted, however there must be another protection in place that is comparable. Therefore, the lack of encryption of Zoho’s servers is not necessarily an issue. Upon reading Zoho’s forum, a Zoho HIPAA compliance program is under development to address further Zoho PCI compliance.
Zoho HIPAA Risk Assessment
Healthcare entities wishing to work with a vendor must also vet their vendors. A HIPAA risk assessment must be sent to all vendors. A HIPAA risk assessment identifies gaps in safeguards surrounding PHI. Healthcare organizations have an obligation to ensure that their business associates (BAs) are correctly handling PHI before they share the sensitive information.
Is Zoho HIPAA Compliant?
Zoho’s team does not make their stance clear on HIPAA & PCI compliance. Although their legal team states that they are willing to sign a business associate agreement, the service was not designed with HIPAA in mind. Zoho’s Security & Compliance department says that Zoho is not HIPAA compliant.
It is therefore recommended that healthcare entities look to alternative solutions.