Hoala Greevy
We originally wrote about Zoho CRM and its ability to provide HIPAA compliant service in 2017.
In our initial review, we found that Zoho was all over the place regarding its stance on HIPAA compliance. At the time, we did not recommend using it if HIPAA compliance was a requirement.
Now that it’s 2023, we’ll revisit the question: Is Zoho CRM HIPAA compliant?
About Zoho CRM
Zoho is a cloud-based software company that provides a suite of business applications for a variety of functions including customer relationship management (CRM), human resources management (HRM), accounting, project management, email and collaboration, and more. Zoho's software suite is designed to help businesses of all sizes manage their operations more effectively and efficiently.
Zoho was founded in 1996 and is headquartered in Chennai, India. It has since grown to become one of the leading software providers for small and medium-sized businesses worldwide, with more than 60 million users across over 180 countries.
Zoho and the business associate agreement
There’s a primary item to consider when it comes to Zoho and its ability to provide a HIPAA compliant service.
First, let’s start with a quick recap of terms. The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of individuals’ personal health information, otherwise known as protected health information (PHI).
As we’ve previously discussed, HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
A business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance. In the case of Zoho, the service would certainly fall into the category of business associate if it’s servicing customers that would store, process, or transmit PHI on its platform.
We did an updated check on Zoho's site and found several relevant pages:
Zoho is a lot clearer on its stance on being able to sign a BAA with its customers:
"SOC 2 + HIPAA - An independent third-party audit firm has examined the description of the system related to Application Development, Production Support and the related General Information Technology Controls for the services provided to customers, from Zoho offshore development centre, based on Security, Privacy and breach requirements set forth in the Health Insurance Portability and Accountability Act (“HIPAA”) Administrative Simplification. The responsibility of Zoho is limited to the extent it acts as a 'Business Associate'.
Applicable to- Zoho CRM, Zoho Bookings, Zoho Survey..."
Furthermore, Zoho CRM puts the onus on the customer to properly configure it:
As we can see, Zoho CRM can be configured in a HIPAA compliant manner and Zoho CRM will act as a business associate for its customers.
Does Zoho CRM offer HIPAA compliant service?
The BAA is a key component to HIPAA compliance between a covered entity and a business associate.
We've learned Zoho's stance on HIPAA compliance for Zoho CRM is much clearer than it was in 2017:
- Zoho is willing to act as a business associate for customers' use of Zoho CRM. A critical component of acting as a business associate is signed a BAA with customers.
- Zoho CRM can be configured in a HIPAA compliant manner, as long as the customer does it themselves.
Conclusion: Zoho CRM can be configured to be HIPAA compliant.
