The question of is Zapier HIPAA compliant is answered by Zapier on its website – the company stating that “the use of regulated healthcare and medical data including Protected Health Information (PHI) under HIPAA isn’t supported on Zapier.” However, Zapier appears to have the security mechanisms in place to support HIPAA compliance. So, why isn’t Zapier HIPAA compliant?
There are many healthcare organizations that would like to use Zapier’s automation and orchestration capabilities to streamline patient workflows. However, because of the above HIPAA clause in Zapier’s Data Privacy FAQs, healthcare organizations are unable to use the platform to collect, receive, maintain, or transmit electronic Protected Health Information (ePHI).
However, when you review Zapier’s Security and Compliance page, the platform contains a number of admin controls, audit logs, and approval processes that would appear to meet the requirements of the Security Rule. In addition, all customer data is encrypted at rest and in transit, and Zapier is certified as being compliant with SOC for Service Organizations SOC 2 Type 2 and SOC 3.
Why Isn’t Zapier HIPAA Compliant?
The reason Zapier is not HIPAA compliant is because many of the applications and integrations that make the platform so versatile are not HIPAA compliant themselves. Zapier would have to remove applications and integrations with (for example) Facebook, PayPal, and HubSpot before being able to offer a HIPAA compliant version of the platform – which would negatively affect its appeal.
To expand on this point a little more, although there would be no HIPAA compliance issues if a patient disclosed sensitive health information to a non-compliant app, once the sensitive health information enters a workflow orchestrated by the Zapier platform, it becomes ePHI because Zapier is now performing a service for a HIPAA covered entity as a business associate.
This means that any subsequent stages in the automated workflow must be HIPAA compliant, and that Zapier must have a Business Associate Agreement in place with the software vendor for each subsequent stage. In theory, this could mean Zapier might have to enter several thousand Business Associate Agreements with downstream business associates to be HIPAA compliant.
Can Zapier be Used by Healthcare Organizations?
Zapier can be used by healthcare organizations to orchestrate and automate workflows, provided no ePHI is included in the workflows. Therefore, if using Zapier for sales and marketing purposes, healthcare organizations must configure any applications used to collect prospect data so it is not possible for the data to include ePHI.
If your organization is unsure how to use Zapier without violating HIPAA, you should reach out to Zapier on its community forum. Alternatively, you should seek independent advice from a compliance expert with an understanding of automated workflows; and, if implementing Zapier to automate healthcare workflows, be sure that all members of the workforce with access to the platform receive adequate HIPAA training.