Is Zscaler HIPAA compliant?

Zscaler is a cloud-native security platform that can be an asset in the healthcare sector's quest for patient data protection. Healthcare organizations must ensure that the tools they use are HIPAA compliant. When considering Zscaler, healthcare professionals must know whether it is compliant with HIPAA standards. 

What is Zscaler?

Zscaler is a cloud-native security platform offering a suite of security services tailored to the needs of modern organizations. With a core focus on providing security services within a cloud environment, Zscaler has emerged as a choice for healthcare organizations seeking solutions to fortify their data protection strategies.

Zscaler's security features

Zscaler state that the platform's security features are designed to address cybersecurity challenges:

• Secure web gateway (SWG): Safeguards against malicious websites and applications, ensuring secure and risk-free browsing experiences for users.
• Cloud access security broker (CASB): Manages access to cloud applications, enforces security policies, and steadfastly prevents unauthorized access or data leakage.
• Data loss prevention (DLP): Acts as a shield against sensitive data leakage, with advanced scanning mechanisms that proactively block unauthorized data transfers.
• Sandboxing: Embarks on a proactive journey of analyzing suspicious files and traffic to swiftly identify and mitigate potential advanced threats before they cause harm.
• Secure socket layer (SSL) inspection: Decrypts and inspects SSL-encrypted traffic, unveiling hidden threats and ensuring a secure flow of information.
• Intrusion prevention system (IPS): Detects and thwarts any unauthorized access attempts and malicious attacks aimed at compromising the network's integrity.

Is Zscaler a business associate?

Under HIPAA, a business associate is an entity that handles protected health information (PHI) on behalf of a covered entity and provides certain services that involve the use or disclosure of PHI. As per Zscaler's official stance, the classification hinges on whether Zscaler's deployment services inadvertently result in incidental access to customer-managed PHI. This determination accounts for the nature of services rendered and the policies executed by the respective healthcare organization. In certain scenarios, Zscaler might be considered a business associate.

Related: How to know if you're a business associate

Business associate agreement provisions

The business associate agreement (BAA) is an instrumental document that delineates the responsibilities and obligations of business associates when dealing with PHI on behalf of covered entities. The BAA is a binding contract that ensures adherence to HIPAA's security and privacy standards. 

Related: Business associate agreement provisions

Zscaler and the BAA

Zscaler claims to introduce a different approach when it comes to BAAs. Instead of adopting a one-size-fits-all strategy, Zscaler assesses the necessity for a BAA on a case-by-case basis. In instances where Zscaler's deployment services result in the incidental access of customer-managed PHI, there might arise a requirement for a supplemental customer BAA. Although the scope of this BAA could be confined to these specific occurrences, it still assures HIPAA compliance.

Is Zscaler HIPAA Compliant?

While Zscaler's role within healthcare might not translate to an automatic classification as a business associate, it will sign BAAs when used to process or store PHI. Zscaler can be HIPAA compliant.