Can Zoho be Deemed HIPAA Compliant?

by | Aug 31, 2018

Many healthcare groups have considered the Zoho Office Suite as an alternative software package to organize workflows, but can Zoho be deemed HIPAA compliant?

Zoho: What is it?

Based in Pleasanton, CA Zoho is developer of cloud applications and web-based utilities that includes email (Zoho Mail), a document editor (Zoho Docs), a customer relationship management service (Zoho CRM), a spreadsheet editor (Zoho Sheet), a presentation editor (Zoho Show), a custom application builder (Zoho Creator), a project management platform (Zoho projects), live chat software (Zoho Chat), a bookkeeping utility (Zoho Books), application integration platform (Zoho Flow) and an IoT management software (WebNMS).

The company is dedicated to providing cloud-based services for businesses and has been designing applications since 1996. Many of its solutions are similar to those provided by Google (G Suite) and Microsoft (Office 365). The applications have been developed to be compatible with both suites of products.

Are HIPAA-Covered Bodies Allowed to Complete Zoho Business Associate Agreement?

There has been serious interest in Zoho from healthcare groups in the United States who are keen to use its cloud-based services, although there are few details regarding business associate agreements on the Zoho website. Zoho discussion forums suggest a Zoho HIPAA compliance program has been under development for some time, but as of yet, a Zoho HIPAA compliant service is not being provided.

Zoho’s legal team have said “We believe that we meet the administrative, physical and technical safeguards as required by HIPAA, with the exception of encryption, which is an ‘addressable’ requirement under HIPAA. While we do encrypt passwords, we do not encrypt data stored on our servers.  The work on encryption-at-rest is underway. Data transmission is done via HTTPS.”

The Zoho representative on the Zoho discussion forum added that they are open to signing a Business Associate Agreement, “with the caveat that we don’t encrypt data ‘at rest’ on our servers.” However, a reply from the internal Security & Compliance department said “Zoho is not HIPAA compliant.”

So can Zoho be Deemed HIPAA Compliant?

Zoho services have not been developed for the healthcare sector in the United States as the main target market, although the company does adhere to ISO/IEC 27001 and SOC 2 for security and will complete a business associate with HIPAA-covered bodies.

So, can Zoho be deemed HIPAA compliant? Currently, Zoho does not encrypt data at rest. Encryption is not a ‘required’ facet of HIPAA, but different controls must be used instead that offer a similar level of protection. Before Zoho could be implemented, it must be subjected to a risk assessment, and the threats to the confidentiality, integrity, and availability of ePHI should be carefully reviewed. The business associate agreement should be reviewed by your compliance team/legal department, and a completed copy obtained from Zoho. It is recommended to consider other possibilities before implementing Zoho Office Suite.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Daniel Lopez

Daniel Lopez is an experienced HIPAA trainer with a particular focus on patient privacy as the best way to ensure HIPAA compliance. Daniel serves as a subject matter expert for ComplianceJunction's online HIPAA training, using his teaching experience to ensure that the online training clear and practical. Daniel also contributes expert articles providing advice about HIPAA.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy