Is Zoho Email HIPAA Compliant?

Zoho Mail is a popular email platform that’s geared towards businesses. It offers a user-friendly minimalist interface that's supported by some powerful features. So you can create, communicate, and collaborate in an ad-free environment.

But medical practices will also need an email platform that satisfies regulatory compliance. If you’re using this platform, being able to send and receive a Zoho HIPAA compliant email is a must.

So this begs the question, is Zoho Email HIPAA compliant? Let’s take a look.

When we evaluate email systems for HIPAA compliance, here’s the checklist we use:

• HIPAA guidelines ask medical practices to go the extra mile to protect patient data. It starts with your provider signing a HIPAA Business Associate Agreement (HIPAA BAA). Don’t go with a provider that refuses to sign one!
• When your email is HIPAA compliant, it's configured so that it’s hard for hackers to access. That includes strong, unique passwords and multi-factor authentication.
• Emails stored on your computer are encrypted.
• The connection from your computer (e.g., Outlook, Apple Mail) or smartphone to your email server is encrypted.
• Emails stored on your email server are encrypted.
• Emails sent between people inside your company are encrypted.
• Encrypt emails with Protected Health Information (PHI) sent outside your company (or better yet, encrypt all emails!).
• They should also have a log management system in place to meet the logging requirements of HIPAA. This will help you create an audit trail and investigate a potential breach.
• HIPAA email compliance also requires many layers of protection against phishing. It's crucial because it remains the biggest threat to companies today. The best companies have two layers of protection against phishing.

Let’s see how Zoho Mail measures up!

HIPAA Guidelines Ask Medical Practices to Go the Extra Mile to Protect Patient Data (with a HIPAA BAA)

If you go through their website, you’ll notice that Zoho email and HIPAA compliance is a challenge. If you take a look at the interesting feedback/responses from Zoho support in this conversation, the legal team seems happy to sign a HIPAA BAA. But at the same time, it raises questions about encryption.

This conversation seems to hint that Zoho now does indeed take care of encryption, but it isn’t clear if that’s just for CRM or email as well.

Unfortunately, if you trawl through their website, you’ll find that Zoho won’t sign a HIPAA BAA. This is the reality even though they give the impression that they would be “happy” to sign one (on some pages). We take these inconsistencies as a big warning sign for handling medical data!

When Your Email Is HIPAA Compliant, It's Configured so That It’s Hard for Hackers to Access

Zoho HIPAA compliant email will demand (at least) two-factor authentication (2FA). When your email platform boasts 2FA, it’ll need a second level of authentication to enable access to your account.

What does that mean?

Single-factor authentication only requires your username and password. 2FA will ask you to provide a combination of these three types of credentials (after entering your email address/user ID and password):

• Biometric fingerprint, voice print, or FaceID
• A personal identification number, a pattern, or password
• An ATM card, mobile phone, or a small security device with built-in authentication

In most cases, this process is as simple as typing in a verification code sent to your registered mobile number. It can also be a code generated by the Google Authenticator app.

Zoho does offer multi-factor authentication. You can read more about adding this feature HERE.

Emails Stored on Your Computer Are Encrypted

All Emails stored on your computer will be encrypted. But that’s more up to you and how you set up your computer. If you just access Zoho using your browser, then your connection should be encrypted.

If you need help with this, we can help!

The Connection from Your Computer (e.g., Outlook, Apple Mail) or Smartphone to Your Email Server Is Encrypted

This is the same as above. To send a HIPAA compliant email with Zoho, you have to ensure that the connection from your computer to the email platform is encrypted. If you’re accessing Zoho through your browser, you’re all set.

If you use something else (like Outlook or Apple Mail), then encryption will be something you set up when you first connect to Zoho.

Emails Stored on Your Email Server Are Encrypted

Your emails stored on the email server will be encrypted.

Zoho now provides Secure/Multipurpose Internet Mail Extensions (S/MIME) encryption. This approach leverages cryptography to digitally sign and encrypt your emails. Whenever it’s implemented, it'll block unauthorized access.

Emails Sent between People inside Your Company Are Encrypted

If you have deployed end-to-end encryption, it’ll be safe to share sensitive information within your company. This means encrypting all connections between computers and your email platform.

Encrypt emails with PHI sent outside your company

You can send emails containing PHI once S/MIME protocols are configured to ensure compliance. For example, PHI can mean a diagnosis or the name of prescribed medication (like "Zoloft").

But it's critical to note that both the sender and the receiver must enable S/MIME. This is not always going to be easy! You also need a valid S/MIME certificate.

Secure communication between your practice and your patients also requires some additional steps. You can read more about that HERE.

Log Management System to Meet the Logging Requirements of HIPAA

Zoho Mail does have an efficient email logging system that meets HIPAA logging requirements. To check email logs, you have to follow these simple steps:

1. Login to your Zoho Mail Control Panel as an administrator
2. Under Mail Administration, click on the Select Troubleshoot option
3. Open the Mail Logs tab
4. Type in the Sender email Address or Recipient email address or the Message ID
5. Select the date range (for e.g., “Today,” “Past one hour,” “Yesterday,” etc.)
6. To view the email logs for the selected parameters, click “Search”

HIPAA Email Compliance Also Requires Many Layers of Protection against Phishing

Zoho Mail also provides protection against phishing. But it’s important to note that these features are pretty basic.

If you want to learn more about sending and receiving HIPAA compliant emails, go over these seven tips.

Conclusion

The bottom line is this – Zoho isn't HIPAA compliant.

Zoho Mail checks a lot of the boxes, but the fact that they won't sign a HIPAA BAA eliminates them immediately!

The fact that they allow conflicting information to be published on their site is also a serious cause for concern. As things stand, there is no way to send a Zoho HIPAA compliant email!

The good news is that there are other options out there that boast similar features while ensuring regulatory compliance.

Zoho email alternatives that are HIPAA Compliant (after they’re set up properly):

• Google Workspace
• Microsoft365

So if your practice is using Zoho Mail, don’t send any PHI in emails. Before engaging with patients, you should also get consent from them to use insecure emails.

So you have any questions or feedback?

Please feel free to share them in the Comments section below.

Like this article? Share it!