Is Zscaler HIPAA compliant? (2026 update)

Zscaler is a cloud security platform that provides tools for secure web access, zero-trust network access, and data protection.

With Zscaler, organizations can safeguard users, applications, and data by enabling secure remote access and preventing cyber threats. This helps businesses enhance security, streamline network management, and ensure safe digital operations from anywhere.

Is Zscaler HIPAA compliant? Yes, based on our research, Zscaler can be HIPAA compliant.

What changed this year?

As of April 2026, our review did not identify any publicly disclosed changes to Zscaler's HIPAA-related policies or BAA terms.

Will Zscaler sign a business associate agreement (BAA)?

Yes, Zscaler will sign a business associate agreement in certain deployment scenarios. According to their HIPAA solution brief, a BAA may be required when Zscaler services access or process protected health information (PHI) through specific features including SSL Inspection, Sandbox, Data Loss Prevention, and Browser Isolation.

What does the Zscaler BAA cover?

The Zscaler BAA covers the use and disclosure of PHI in applicable service deployments. Their solution brief states that "Zscaler's data protection function prevents unauthorized sharing or exfiltration of confidential information, like e-PHI, reducing the health industry's HIPAA business and compliance risk."

Their data protection commitments include:

• Data Loss Prevention (DLP) that detects and prevents PHI exfiltration, with all processing done in-memory without storing source data
• Cloud Browser Isolation that deletes user session content as soon as a session ends
• SSL Inspection that performs decryption entirely in-memory for threat detection purposes
• Sandbox analysis with extensive access controls, storage encryption, and logging for any files accessed by security researchers

What does the Zscaler BAA exclude?

Zscaler's BAA is limited in scope. Their solution brief notes that the BAA covers "only those Zscaler products that may have access to PHI in a customer environment." In most standard deployments, Zscaler does not access or process PHI and therefore does not qualify as a business associate, meaning a BAA would not be required. Covered entities should assess their specific Zscaler configuration with their compliance team before determining whether a BAA is needed.

Conclusion

Zscaler signs a BAA and is therefore HIPAA compliant, though the BAA applies only to specific service configurations where PHI may be accessed.

Learn more: HIPAA Compliant Email: The Definitive Guide

FAQS

What is a business associate agreement?

A business associate agreement (BAA) is a legally binding contract establishing a relationship between a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and its business associates. The purpose of this agreement is to ensure the proper protection of personal health information (PHI) as required by HIPAA regulations.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting the privacy and security of certain health information, known as protected health information (PHI).

HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in fines and penalties for covered entities.

Who does HIPAA apply to?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.