Can Zoho be Deemed HIPAA Compliant?

Many healthcare groups could opt to employ the use of Zoho tools to organize their works, but can Zoho be deemed HIPAA compliant?

Zoho: What is it?

Based in Pleasanton, CA Zoho is developer of cloud applications and web-based utilities that includes email (Zoho Mail), a document editor (Zoho Docs), a customer relationship management service (Zoho CRM), a spreadsheet editor (Zoho Sheet), a presentation editor (Zoho Show), a custom application builder (Zoho Creator), a project management platform (Zoho projects), live chat software (Zoho Chat), a bookkeeping utility (Zoho Books), application integration platform (Zoho Flow) and an IoT management software (WebNMS).

The company is dedicated to providing cloud-based services for businesses and has been designing applications since 1996. Many of its solutions are similar to those provided by Google (G Suite) and Microsoft (Office 365). The applications have been developed to be compatible with both suites of products.

Are HIPAA-Covered Bodies Allowed to Complete Zoho Business Associate Agreement?

There has been serious interest in Zoho from healthcare groups in the United States who are keen to use its cloud-based services, although there are few details regarding business associate agreements on the Zoho website. Zoho discussion forums suggest a Zoho HIPAA compliance program has been under development for some time, but as of yet, a Zoho HIPAA compliant service is not being provided.

Zoho’s legal team have said “We believe that we meet the administrative, physical and technical safeguards as required by HIPAA, with the exception of encryption, which is an ‘addressable’ requirement under HIPAA. While we do encrypt passwords, we do not encrypt data stored on our servers.  The work on Encryption-At-Rest is underway. Data transmission is done via HTTPS.”

They added that they are open to signing a Business Associate Agreement, “with the caveat that we don’t encrypt data ‘at rest’ on our servers.” However, a reply from the internal Security & Compliance department said “Zoho is not HIPAA compliant.”

So can Zoho be Deemed HIPAA Compliant?

Zoho services have not been developed for the healthcare sector in the United States as the main target market, although the company does adhere to ISO/IEC 27001 and SOC 2 for security and will complete a business associate with HIPAA-covered bodies.

So, can Zoho be deemed HIPAA compliant? Currently, Zoho does not encrypt data which is not moving. Encryption is not a ‘required’ facet of HIPAA, but different controls must be used instead that offer a similar level of protection. Before Zoho could be implemented, it must be subjected to a risk assessment, and the dangers to the confidentiality, integrity, and availability of ePHI should be carefully reviewed. The business associate agreement should be overlooked by your compliance team/legal department, and a completed copy obtained from Zoho. Only then could the platform be permitted for use with any ePHI. It would be wise to fully consider all other possibilities before implemented Zoho services.