Can Zoho be Deemed HIPAA Compliant?

Many healthcare groups have considered the Zoho Office Suite as an alternative software package to organize workflows, but can Zoho be deemed HIPAA compliant?

Zoho: What is it?

Based in Pleasanton, CA Zoho is developer of cloud applications and web-based utilities that includes email (Zoho Mail), a document editor (Zoho Docs), a customer relationship management service (Zoho CRM), a spreadsheet editor (Zoho Sheet), a presentation editor (Zoho Show), a custom application builder (Zoho Creator), a project management platform (Zoho projects), live chat software (Zoho Chat), a bookkeeping utility (Zoho Books), application integration platform (Zoho Flow) and an IoT management software (WebNMS).

The company is dedicated to providing cloud-based services for businesses and has been designing applications since 1996. Many of its solutions are similar to those provided by Google (G Suite) and Microsoft (Office 365). The applications have been developed to be compatible with both suites of products.

Are HIPAA-Covered Bodies Allowed to Complete Zoho Business Associate Agreement?

There has been serious interest in Zoho from healthcare groups in the United States who are keen to use its cloud-based services, although there are few details regarding business associate agreements on the Zoho website. Zoho discussion forums suggest a Zoho HIPAA compliance program has been under development for some time, but as of yet, a Zoho HIPAA compliant service is not being provided.

Zoho’s legal team have said “We believe that we meet the administrative, physical and technical safeguards as required by HIPAA, with the exception of encryption, which is an ‘addressable’ requirement under HIPAA. While we do encrypt passwords, we do not encrypt data stored on our servers.  The work on encryption-at-rest is underway. Data transmission is done via HTTPS.”

The Zoho representative on the Zoho discussion forum added that they are open to signing a Business Associate Agreement, “with the caveat that we don’t encrypt data ‘at rest’ on our servers.” However, a reply from the internal Security & Compliance department said “Zoho is not HIPAA compliant.”

So can Zoho be Deemed HIPAA Compliant?

Zoho services have not been developed for the healthcare sector in the United States as the main target market, although the company does adhere to ISO/IEC 27001 and SOC 2 for security and will complete a business associate with HIPAA-covered bodies.

So, can Zoho be deemed HIPAA compliant? Currently, Zoho does not encrypt data at rest. Encryption is not a ‘required’ facet of HIPAA, but different controls must be used instead that offer a similar level of protection. Before Zoho could be implemented, it must be subjected to a risk assessment, and the threats to the confidentiality, integrity, and availability of ePHI should be carefully reviewed. The business associate agreement should be reviewed by your compliance team/legal department, and a completed copy obtained from Zoho. It is recommended to consider other possibilities before implementing Zoho Office Suite.