Can I use Zoho Desk and be HIPAA compliant? (2023 update)

Today we'll research whether Zoho Desk provides HIPAA compliant service or not.

About Zoho Desk

Zoho Desk is a cloud-based help desk software that helps businesses manage customer support interactions across multiple channels. It provides a centralized platform for businesses to manage their customer support operations, including handling support tickets, tracking customer issues, and automating responses to frequently asked questions.

Zoho and the business associate agreement

There’s a primary item to consider when it comes to Zoho Desk and its ability to provide a HIPAA compliant service.

First, let’s start with a quick recap of terms. The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of individuals’ personal health information, otherwise known as protected health information (PHI).

As we’ve previously discussed, HIPAA applies to covered entities, which includes healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.

A business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance. In the case of Zoho Desk, the service would certainly fall into the category of business associate if it’s servicing customers that would store, process, or transmit PHI on its platform.

We checked Zoho's site and found what we were looking for here:

• Zoho Desk HIPAA Compliance Guide

First, we can see that Zoho has a BAA and customers can request one via email:

“Zoho Desk provides certain features (as described below) to help its customers use Zoho Desk in a HIPAA compliant manner.

HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with its Business Associates. You can request our BAA template by sending an email to legal@zohocorp.com.”

Second, we see Zoho puts the onus on customers to identify PHI in Zoho Desk:

"To ensure the security of you and your customers’ information, you can take the following actions in your Zoho Desk:

• Mark ePHI fields to distinguish their data
• Encrypt data entered into ePHI designated fields
• Administer roles and permissions to secure data
• Export audit trail to monitor operational activities"

Does Zoho Desk offer HIPAA compliant service?

The Business Associate Agreement (BAA) is a key component to HIPAA compliance between a covered entity and a business associate.

In regards to being considered a HIPAA compliant solution, we were able to learn the following about Zoho Desk:

• Customers can request a BAA with Zoho Desk by emailing legal@zohocorp.com.
• There appears customers need to do quite a bit of setup to select and encrypt PHI stored within Zoho Desk.

Conclusion: Zoho Desk can be configured to be HIPAA compliant. Make sure to email Zoho to request a BAA and also properly configure Zoho Desk.