Over the past six months we’ve fielded quite a few inquiries from customers and prospects alike about whether our HIPAA compliant email service integrates with Zoho.
We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.
In previous posts, we’ve covered the following cloud providers and their capabilities for HIPAA compliance:
The purpose of this post is to determine if Zoho offers HIPAA compliance or not.
SEE ALSO: HIPAA Breaches and Cloud Providers
Zoho is a suite of online applications ranging from hosted email, to CRM, accounting, and help desk. They are an early adopter of cloud software.
According to their site, Zoho is a division of ZOHO Corporation, a US-based company that has been creating and selling software solutions since 1996.
Zoho and the Business Associate Agreement
We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.
We checked Zoho’s site and found conflicting and often confusing information about their HIPAA compliance capabilities.
For example, the Zoho forums were the only places we could find any mention of HIPAA or HIPAA Compliance:
- HIPPA Compliance: Submitted 10 years ago, the forum thread meanders back and forth before ending on an ominous piece of feedback from another Zoho user, “I did reach out. But they told me that they would sign a BAA but they did not encrypt data on their server. Does this not null and void the BAA for PHI information?” (That user is correct)
- Is Zoho Creator HIPAA Compliant?: Submitted 7 years ago, a Zoho employee states, “Zoho is not a health care service provider, Zoho does not have a HIPAA compliance program.”
- HIPAA Compliance: Submitted 6 years ago, another Zoho employees writes, “Zoho Mail is a general-purpose email service and is not mainly intended to be used for transmitting/storing patient data. Hence we have not taken any steps for compliance with HIPAA.”
- Zoho Hipaa compliant?: Submitted 4 years ago, a Zoho staff member claims, “Please note, we are not HIPPA compliant however we will be able to sign a BAA. If you have an existing BAA copy, please send it to our legal team. They will review and sign it digitally.”
- Zoho Books HIPAA compliance: Submitted 1 year ago, a different Zoho employee says, “Yes. We do sign Business Associate Agreements (BAA). To know more about the procedure and HIPAA compliance, kindly write us at firstname.lastname@example.org from your registered email address.”
- HIPAA Compliance Plan: Submitted 6 months ago, a Zoho employee recommends contacting email@example.com for more information on Zoho and HIPAA Compliance.
We did not find any mention of HIPAA or Business Associate Agreement on those key legal pages.
Does Zoho Offer HIPAA Compliant Service?
The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.
There were troubling aspects in our research about Zoho and HIPAA Compliance:
- There was no mention of HIPAA Compliance or their ability to sign a BAA on their key legal pages (Privacy and Security).
- It was disheartening to find confusing and conflicting advice from their support staff in their own forums. The information was often outdated and left unanswered for years at a time.
Zoho is all over the place on their stance on HIPAA Compliance.
We do not recommend not using them if you require HIPAA compliant services.