Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

Is Zoho Campaigns HIPAA compliant? (2023 update)

Is Zoho Campaigns HIPAA compliant? (2023 update)

We originally wrote about Zoho Campaigns and its ability to provide HIPAA compliant service in 2020.

In our initial review, we found that Zoho Campaigns could be used in a HIPAA compliant manner, but only if you exclusively used custom fields.

Now that it’s 2023, is Zoho Campaigns easier to use when it comes to HIPAA compliance?

Today we'll revisit the question: Is Zoho Campaigns HIPAA compliant?

 

About Zoho Campaigns

Zoho Campaigns is a web-based email marketing platform developed by Zoho Corporation. It provides a suite of tools for creating, sending, and tracking email campaigns, as well as managing subscriber lists and contacts.

With Zoho Campaigns, customers can create professional-looking email campaigns using a drag-and-drop email editor, customize email templates to match brand guidelines, and schedule email campaigns to be sent at a specific time.

 

Zoho Campaigns and the business associate agreement

There’s a primary item to consider when it comes to Zoho Campaigns and its ability to provide a HIPAA compliant service.

First, let’s start with a quick recap of terms. The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of individuals’ personal health information, otherwise known as protected health information (PHI).

As we’ve previously discussed, HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.

business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance. In the case of Zoho Campaigns, the service would certainly fall into the category of business associate if it’s servicing customers that would store, process, or transmit PHI on its email platform.

We checked the Zoho site and found three relevant pages:

 

In a nutshell, these pages state:

  • BAA. Zoho Campaigns is within scope of Zoho's business associate agreement. Customers are instructed to email legal@zohocorp.com to get a copy of their BAA.
  • Encrypting data at-rest. Zoho Campaigns puts the onus on the customer to manually encrypt data fields that contain PHI.
  • Encrypting data in transit. Zoho Campaigns does not make any mention of being able to actually send email that contains PHI and still be HIPAA compliant.

 

Is Zoho Campaigns HIPAA compliant?

The BAA is a key component to HIPAA compliance between a covered entity and a business associate.

We’ve learned Zoho’s stance on HIPAA compliance for Zoho Campaigns remains about the same from 2020, a bit opaque.

Conclusion: Zoho Campaigns can be used in a HIPAA compliant manner with some weighty caveats.

We recommend contacting them to resolve the following question:

  • Does the Zoho Campaigns BAA consider email transmission to be in scope? In other words, can its customers actually send PHI in email campaigns and be HIPAA compliant?

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.