Can Healthcare Organizations Use Zoho Without Violating HIPAA Rules?

A Pleasanton, CA-based company has been developing Zoho, a suite of cloud-based tools and applications, since 1996. Zoho includes the following products and services:

  • Zoho Mail (email)
  • Zoho Docs (document editor)
  • Zoho CRM (a customer relationship management platform)
  • Zoho Sheet (spreadsheet editor)
  • Zoho Show (presentation program)
  • Zoho Creator ( app builder)
  • Zoho Projects (project management platform)
  • Zoho Chat (live chat software)
  • Zoho Books (bookkeeping service)
  • Zoho Flow (app integration platform)
  • WebNMS (IoT management platform)

Many businesses use these solutions as an alternative to Google’s G Suite and Microsoft’s Office 365. Zoho apps may be integrated with both product suites. Can U.S. healthcare organizations use Zoho in conjunction with protected health information (PHI) without violating HIPAA?

There’s very little information available on the Zoho website about business associate agreements. But discussions in the Zoho forums suggest that a Zoho HIPAA compliance program is in the works for some time. Yet, so far, Zoho does not offer any HIPAA compliant service. According to the Zoho legal team, Zoho satisfactorily meets the requirement of HIPAA for administrative, physical and technical safeguards, except for encryption – an addressable requirement under HIPAA. Zoho encrypts passwords but not the data stored in their servers. Their development team is still working on the encryption-at-rest feature. Transmission of data is done via HTTPS.

Zoho is also willing to sign a business associate agreement (BAA), however, the Security & Compliance department of Zoho claims that Zoho is still not HIPAA compliant. The services of Zoho were not specifically developed to serve the healthcare industry. Although Zoho is ISO/IEC 27001 and SOC 2 certified and will sign a BAA with covered entities if required.

To recap, Zoho does not offer encryption of data at rest. HIPAA actually does not require encryption, but Zoho must have alternative controls that serve the same level of protection. Before using Zoho’s services, it must go through a risk analysis to identify risks to the availability, integrity and confidentiality of ePHI. Zoho will sign a BAA but it is best for a healthcare organization’s HIPAA compliance or legal department to assess it before using Zoho services with ePHI. A company might also like to check other alternatives before using Zoho with ePHI.