Zoho Mail is a popular email platform that’s geared towards businesses. It offers a user-friendly minimalist interface that's supported by some powerful features. So you can create, communicate, and collaborate in an ad-free environment.
But medical practices will also need an email platform that satisfies regulatory compliance. If you’re using this platform, being able to send and receive a Zoho HIPAA compliant email is a must.
So this begs the question, is Zoho Email HIPAA compliant? Let’s take a look.
When we evaluate email systems for HIPAA compliance, here’s the checklist we use:
Let’s see how Zoho Mail measures up!
If you go through their website, you’ll notice that Zoho email and HIPAA compliance is a challenge. If you take a look at the interesting feedback/responses from Zoho support in this conversation, the legal team seems happy to sign a HIPAA BAA. But at the same time, it raises questions about encryption.
This conversation seems to hint that Zoho now does indeed take care of encryption, but it isn’t clear if that’s just for CRM or email as well.
Unfortunately, if you trawl through their website, you’ll find that Zoho won’t sign a HIPAA BAA. This is the reality even though they give the impression that they would be “happy” to sign one (on some pages). We take these inconsistencies as a big warning sign for handling medical data!
Zoho HIPAA compliant email will demand (at least) two-factor authentication (2FA). When your email platform boasts 2FA, it’ll need a second level of authentication to enable access to your account.
What does that mean?
Single-factor authentication only requires your username and password. 2FA will ask you to provide a combination of these three types of credentials (after entering your email address/user ID and password):
In most cases, this process is as simple as typing in a verification code sent to your registered mobile number. It can also be a code generated by the Google Authenticator app.
Zoho does offer multi-factor authentication. You can read more about adding this feature HERE.
All Emails stored on your computer will be encrypted. But that’s more up to you and how you set up your computer. If you just access Zoho using your browser, then your connection should be encrypted.
If you need help with this, we can help!
This is the same as above. To send a HIPAA compliant email with Zoho, you have to ensure that the connection from your computer to the email platform is encrypted. If you’re accessing Zoho through your browser, you’re all set.
If you use something else (like Outlook or Apple Mail), then encryption will be something you set up when you first connect to Zoho.
Your emails stored on the email server will be encrypted.
Zoho now provides Secure/Multipurpose Internet Mail Extensions (S/MIME) encryption. This approach leverages cryptography to digitally sign and encrypt your emails. Whenever it’s implemented, it'll block unauthorized access.
If you have deployed end-to-end encryption, it’ll be safe to share sensitive information within your company. This means encrypting all connections between computers and your email platform.
You can send emails containing PHI once S/MIME protocols are configured to ensure compliance. For example, PHI can mean a diagnosis or the name of prescribed medication (like "Zoloft").
But it's critical to note that both the sender and the receiver must enable S/MIME. This is not always going to be easy! You also need a valid S/MIME certificate.
Secure communication between your practice and your patients also requires some additional steps. You can read more about that HERE.
Zoho Mail does have an efficient email logging system that meets HIPAA logging requirements. To check email logs, you have to follow these simple steps:
Zoho Mail also provides protection against phishing. But it’s important to note that these features are pretty basic.
If you want to learn more about sending and receiving HIPAA compliant emails, go over these seven tips.
The bottom line is this – Zoho isn't HIPAA compliant.
Zoho Mail checks a lot of the boxes, but the fact that they won't sign a HIPAA BAA eliminates them immediately!
The fact that they allow conflicting information to be published on their site is also a serious cause for concern. As things stand, there is no way to send a Zoho HIPAA compliant email!
The good news is that there are other options out there that boast similar features while ensuring regulatory compliance.
Zoho email alternatives that are HIPAA Compliant (after they’re set up properly):
So if your practice is using Zoho Mail, don’t send any PHI in emails. Before engaging with patients, you should also get consent from them to use insecure emails.
Please feel free to share them in the Comments section below.
Like this article? Share it!
Leave a Reply