Many sources tackling the question is Zapier HIPAA compliant tend to conclude that Zapier is not HIPAA compliant because Zapier says so. Yet, judging by the number of requests for a HIPAA compliant version of the automation platform, it seems there is a strong business case for supporting compliance. So, why isn’t Zapier HIPAA compliant?
Zapier is a popular automation platform that enables organizations to build customized workflows using an intuitive drag and drop editor. The platform can be used to orchestrate the flow of data between applications that would otherwise be unable to communicate with each other – enabling automated marketing campaigns, lead management, and sales support.
In theory, the same process management tools should be capable of orchestrating and automating healthcare workflows. Unfortunately, with Zapier, it is impossible to streamline (for example) patients’ records from admission to discharge because Zapier is not HIPAA compliant and cannot be used to create, receive, maintain, or transmit Protected Health Information.
Why Isn’t Zapier HIPAA Compliant?
Zapier does explain why it is not HIPAA compliant, simply stating on its Data Privacy webpage: “The use of regulated healthcare and medical data including Protected Health Information (PHI) under HIPAA isn’t supported on Zapier. Zapier also can’t sign business associate agreements (BAAs) or equivalent agreements for handling PHI or other similar information.”
However, when you read Zapier’s Security and Compliance webpage, the platform appears to tick many of the boxes required for HIPAA compliance. Data is encrypted at rest and in transit, customers can access activity logs, and Zapier has acquired independent third party auditor certifications for SOC for Service Organizations SOC 2 Type 2 and SOC 3.
Additionally, there is evidence to suggest the demand exists for a HIPAA compliant Zapier platform. On the site’s community pages, dozens of customers requested a HIPAA compliant platform in 2020; but, despite the requests being forwarded to Zapier’s product team, there is still no news about when – if at all – Zapier will offer a HIPAA compliant version of the platform.
What is Preventing a Compliant Version?
Although Zapier has remained tight-lipped about why it has not yet released a HIPAA compliant version of the automation platform, it is not difficult to identify several challenges. The first challenge exists due to the very thing that makes Zapier so popular – the number of applications that can be integrated into multi-step workflows.
Thousands of Zapier applications do not support HIPAA compliance (i.e., Calendly, HubSpot, PayPal, Wave, Wix, etc.), so Zapier would have to remove these applications from a HIPAA compliant version of the platform and enter into Business Associate Agreements with thousands of other software vendors. This would very much limit the capabilities of the platform.
There are also several administrative tasks that would require Zapier to change the data retention limits. For example, user activity logs and version histories are currently retained for a maximum of one year. To make Zapier HIPAA compliant, these limits would have to be extended to accommodate compliance with HIPAA’s documentation requirements (§164.316).
Conclusion – Zapier May Never be HIPAA Compliant
While it would be beneficial for many healthcare organizations if Zapier was HIPAA compliant, it may never happen. If it does, and healthcare organizations are allowed to collect, store, and transmit PHI through the platform, it will likely be a much less versatile version of the existing platform because of the number of applications that will have to be removed in order to make Zapier HIPAA compliant.
However, this does not mean healthcare organizations cannot use Zapier in its current state. Provided any processes used to capture data are configured so they cannot collect PHI, and the processes are configured to ensure the stream of data is one way (i.e., so PHI maintained in an EHR is not accessible to other workflow steps), HIPAA compliance is not an issue.
If you would like further advice on how to use Zapier in a healthcare environment without violating HIPAA, you should reach out to the Zapier via its community forum or seek advice from a HIPAA compliance expert with knowledge of automated healthcare processes.