HIPAA Compliance & Zoho
Zoho is a Pleasanton, CA-located creator of cloud applications and web-based utilities that includes email (Zoho Mail), a document editor (Zoho Docs), a customer relationship management service (Zoho CRM), a spreadsheet editor (Zoho Sheet), a presentation editor (Zoho Show), a custom application builder (Zoho Creator), a project management platform (Zoho projects), live chat service (Zoho Chat), a bookkeeping service (Zoho Books), app integration platform (Zoho Flow), and an IoT management database (WebNMS).
The company aims to provide innovative cloud-based solutions for companies and has been developing applications since 1996. Many of its programs are broadly comparable to those supplied by Google (G Suite) and Microsoft (Office 365). Its apps have been created to integrate with both suites of products.
Can HIPAA-Covered Groups Obtain a Zoho Business Associate Agreement?
There has been massive interest in Zoho from healthcare organizations in the United States who are keen to implement its cloud-based services, although there is little information about business associate agreements on the Zoho website. Zoho forums indicate a Zoho HIPAA compliance program has been in development, but as of yet, a Zoho HIPAA compliant service is not being made available.
We have sought an answer from Zoho in relation to business associate agreements and the current state of the Zoho HIPAA compliance program. The answer from the Zoho legal team was “We believe that we meet the administrative, physical and technical safeguards as required by HIPAA, with the exception of encryption, which is an ‘addressable’ requirement under HIPAA. While we do encrypt passwords, we do not encrypt data stored on our servers. The work on Encryption-At-Rest is underway. Data transmission is done via HTTPS.”
The company also said it would be willing to complete a Business Associate Agreement, “with the caveat that we don’t encrypt data ‘at rest’ on our servers.” However, a response from the Security & Compliance department said “Zoho is not HIPAA compliant.”
Can Zoho be Deemed HIPAA Compliant?
Zoho services have not been specifically created for the healthcare sector in the United States, although the company does adhere with ISO/IEC 27001 and SOC 2 for security and will complete a business associate with HIPAA-covered entities.
So, is can Zoho be deemed HIPAA compliant? Currently, Zoho does not encrypt data at rest. Encryption is not a ‘required’ part of HIPAA, but different controls must be used in its place that offer a similar level of protection. Before Zoho could be implemented, it must be subjected to a risk assessment, and the dangers to the confidentiality, integrity, and availability of ePHI should be carefully reviewed. The business associate agreement should be considered by your compliance team/legal department, and a completed copy obtained from Zoho. Only then could the platform be an option for using in relation to any ePHI. Our guidance would be to fully look into all other alternatives before making any decision about Zoho products and services.