HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).
We know the HIPAA industry is vast and that it is important to work well and communicate with patients while remaining HIPAA compliant. This is especially true with the recent move toward remote working and the increase in cyberattacks against healthcare.
Today, we will determine if ZoomInfo is HIPAA compliant or not.
ZoomInfo is a B2B market intelligence company that grants access to its databases through a subscription program. Market intelligence consists of information like sales, customer data, survey responses, focus groups, and competitor research to drive sales.
To create its databases, ZoomInfo scans over 38 million online sources. The ZoomInfo RevOS includes multiple platforms that provide sales, marketing, talent (i.e., recruiting), and operations information. Customers have access to comprehensive professional and company profiles to make data-driven, informed decisions.
A major part of HIPAA compliance is ensuring a business associate will sign a business associate agreement (BAA). A business associate is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI.
In this instance, ZoomInfo is a business associate of a healthcare organization if it works with any data that includes electronic PHI (ePHI), like a name or an email address. Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA.
There is no mention of a BAA on the ZoomInfo website.
Its privacy policy mentions that it “will, whenever possible, obtain confidentiality agreements” but does not state what is included or how customers can receive one.
ZoomInfo’s privacy policy states that information collected for business profiles may be scanned or purchased from others.
The company does have business profiles for companies that work with healthcare organizations on HIPAA compliance. Moreover, ZoomInfo Community Edition clients give the company access to information on their computers through:
These contacts are then added as business profiles. ZoomInfo states that it only harvests business information and that customers can opt-out. However, there is no guarantee that PHI remains inaccessible. A
s for its own cybersecurity, ZoomInfo mentions employee checks, access controls (e.g., two-factor authentication), encryption in transit, firewalls, cloud data backup and access controls, and risk management procedures.
The BAA is a key component of HIPAA compliance; it is not a guarantee that ZoomInfo will provide one or keep PHI from being accessed by its systems.
Conclusion: We are unable to determine if ZoomInfo is HIPAA compliant or not.
For more information on ensuring your vendors are HIPAA compliant please read our post on what to look for when working with third party partners and vendors.