Zoho Mail is a popular email platform that’s geared towards businesses. It offers a user-friendly minimalist interface that’s supported by some powerful features. So you can create, communicate, and collaborate in an ad-free environment. But medical practices will also need an email platform that satisfies regulatory compliance. If you’re using this platform, being able to send and receive a Zoho HIPAA compliant email is a must. So this begs the question, is Zoho Email HIPAA compliant? Let’s take a look. When we evaluate email systems for HIPAA compliance, here’s the checklist we use:
- HIPAA guidelines ask medical practices to go the extra mile to protect patient data. It starts with your provider signing a HIPAA Business Associate Agreement (HIPAA BAA). Don’t go with a provider that refuses to sign one!
- When your email is HIPAA compliant, it’s configured so that it’s hard for hackers to access. That includes strong, unique passwords and multi-factor authentication.
- Emails stored on your computer are encrypted.
- The connection from your computer (e.g., Outlook, Apple Mail) or smartphone to your email server is encrypted.
- Emails stored on your email server are encrypted.
- Emails sent between people inside your company are encrypted.
- Encrypt emails with Protected Health Information (PHI) sent outside your company (or better yet, encrypt all emails!).
- They should also have a log management system in place to meet the logging requirements of HIPAA. This will help you create an audit trail and investigate a potential breach.
- HIPAA email compliance also requires many layers of protection against phishing. It’s crucial because it remains the biggest threat to companies today. The best companies have two layers of protection against phishing.
HIPAA Guidelines Ask Medical Practices to Go the Extra Mile to Protect Patient Data (with a HIPAA BAA)If you go through their website, you’ll notice that Zoho email and HIPAA compliance is a challenge. If you take a look at the interesting feedback/responses from Zoho support in this conversation, the legal team seems happy to sign a HIPAA BAA. But at the same time, it raises questions about encryption. This conversation seems to hint that Zoho now does indeed take care of encryption, but it isn’t clear if that’s just for CRM or email as well. Unfortunately, if you trawl through their website, you’ll find that Zoho won’t sign a HIPAA BAA. This is the reality even though they give the impression that they would be “happy” to sign one (on some pages). We take these inconsistencies as a big warning sign for handling medical data!
When Your Email Is HIPAA Compliant, It’s Configured so That It’s Hard for Hackers to AccessZoho HIPAA compliant email will demand (at least) two-factor authentication (2FA). When your email platform boasts 2FA, it’ll need a second level of authentication to enable access to your account. What does that mean? Single-factor authentication only requires your username and password. 2FA will ask you to provide a combination of these three types of credentials (after entering your email address/user ID and password):
- Biometric fingerprint, voice print, or FaceID
- A personal identification number, a pattern, or password
- An ATM card, mobile phone, or a small security device with built-in authentication
Emails Stored on Your Computer Are EncryptedAll Emails stored on your computer will be encrypted. But that’s more up to you and how you set up your computer. If you just access Zoho using your browser, then your connection should be encrypted. If you need help with this, we can help!
The Connection from Your Computer (e.g., Outlook, Apple Mail) or Smartphone to Your Email Server Is EncryptedThis is the same as above. To send a HIPAA compliant email with Zoho, you have to ensure that the connection from your computer to the email platform is encrypted. If you’re accessing Zoho through your browser, you’re all set. If you use something else (like Outlook or Apple Mail), then encryption will be something you set up when you first connect to Zoho.
Emails Stored on Your Email Server Are EncryptedYour emails stored on the email server will be encrypted. Zoho now provides Secure/Multipurpose Internet Mail Extensions (S/MIME) encryption. This approach leverages cryptography to digitally sign and encrypt your emails. Whenever it’s implemented, it’ll block unauthorized access.
Emails Sent between People inside Your Company Are EncryptedIf you have deployed end-to-end encryption, it’ll be safe to share sensitive information within your company. This means encrypting all connections between computers and your email platform.
Encrypt emails with PHI sent outside your companyYou can send emails containing PHI once S/MIME protocols are configured to ensure compliance. For example, PHI can mean a diagnosis or the name of prescribed medication (like “Zoloft”). But it’s critical to note that both the sender and the receiver must enable S/MIME. This is not always going to be easy! You also need a valid S/MIME certificate. Secure communication between your practice and your patients also requires some additional steps. You can read more about that HERE.
Log Management System to Meet the Logging Requirements of HIPAAZoho Mail does have an efficient email logging system that meets HIPAA logging requirements. To check email logs, you have to follow these simple steps:
- Login to your Zoho Mail Control Panel as an administrator
- Under Mail Administration, click on the Select Troubleshoot option
- Open the Mail Logs tab
- Type in the Sender email Address or Recipient email address or the Message ID
- Select the date range (for e.g., “Today,” “Past one hour,” “Yesterday,” etc.)
- To view the email logs for the selected parameters, click “Search”