Can Zoho be Deemed HIPAA Compliant?

Many healthcare groups have considered the Zoho Office Suite as an alternative software package to organize workflows, but can Zoho be deemed HIPAA compliant?

Zoho: What is it?

Based in Pleasanton, CA Zoho is developer of cloud applications and web-based utilities that includes email (Zoho Mail), a document editor (Zoho Docs), a customer relationship management service (Zoho CRM), a spreadsheet editor (Zoho Sheet), a presentation editor (Zoho Show), a custom application builder (Zoho Creator), a project management platform (Zoho projects), live chat software (Zoho Chat), a bookkeeping utility (Zoho Books), application integration platform (Zoho Flow) and an IoT management software (WebNMS).

The company is dedicated to providing cloud-based services for businesses and has been designing applications since 1996. Many of its solutions are similar to those provided by Google (G Suite) and Microsoft (Office 365). The applications have been developed to be compatible with both suites of products.

Are HIPAA-Covered Bodies Allowed to Complete Zoho Business Associate Agreement?

There has been serious interest in Zoho from healthcare groups in the United States who are keen to use its cloud-based services, although there are few details regarding business associate agreements on the Zoho website. Zoho discussion forums suggest a Zoho HIPAA compliance program has been under development for some time, but as of yet, a Zoho HIPAA compliant service is not being provided.

Zoho’s legal team have said “We believe that we meet the administrative, physical and technical safeguards as required by HIPAA, with the exception of encryption, which is an ‘addressable’ requirement under HIPAA. While we do encrypt passwords, we do not encrypt data stored on our servers.  The work on encryption-at-rest is underway. Data transmission is done via HTTPS.”

The Zoho representative on the Zoho discussion forum added that they are open to signing a Business Associate Agreement, “with the caveat that we don’t encrypt data ‘at rest’ on our servers.” However, a reply from the internal Security & Compliance department said “Zoho is not HIPAA compliant.”

So can Zoho be Deemed HIPAA Compliant?

Zoho services have not been developed for the healthcare sector in the United States as the main target market, although the company does adhere to ISO/IEC 27001 and SOC 2 for security and will complete a business associate with HIPAA-covered bodies.

So, can Zoho be deemed HIPAA compliant? Currently, Zoho does not encrypt data at rest. Encryption is not a ‘required’ facet of HIPAA, but different controls must be used instead that offer a similar level of protection. Before Zoho could be implemented, it must be subjected to a risk assessment, and the threats to the confidentiality, integrity, and availability of ePHI should be carefully reviewed. The business associate agreement should be reviewed by your compliance team/legal department, and a completed copy obtained from Zoho. It is recommended to consider other possibilities before implementing Zoho Office Suite.

About Patrick Kennedy 619 Articles
Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile: