Secure business email with HIPAA compliance

  • The Health Insurance Portability and Accountability Act, HIPAA (including the Privacy Rule, Security Rule, Breach Notification Rule, and Health Information Technology for Economic and Clinical Health Act), requires Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals. Zoho does not collect, use, store or maintain health information protected by HIPAA for its own purposes. However, Zoho Mail provides features to help the administrators to configure and use email within the premises of HIPAA compliance.

    HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with their Business Associates. You can request our BAA template by sending an email to

    Zoho Mail provides the following features and controls that allow administrators to implement a HIPAA-compliant email service for their organization.

  • User roles and permissions

    Zoho Mail provides role-based access to the administration panel. The Super administrator role can be assigned to only one user and further only the super administrator can choose to assign the administrator role to the members of the organization.

    The administrators will have permission to create accounts, manage the security policies, monitor audit logs, etc. The users will not have permission to access the Admin Console and cannot view or access the administrator's functions. Refer here for more details on the roles and privileges.

  • Security controls

    Zoho Mail provides the administrators with a stronghold over the security policies of the organization. The administrator can enforce and customize the following policies to suit their organization's compliance requirements:

    1. TFA/MFA
    2. Password policy
    3. Access control
    4. IP based restrictions
    5. Email restrictions
  • Encryption

    Emails are stored on Zoho Mail servers in an encrypted format. Data is split into fragments and each fragment is then further encrypted before being stored on our disks. The keys that are used for encryption are managed with the utmost safety and reliability. The Data transmissions when using Zoho Mail via POP/ IMAP/ SMTP are encrypted using Transport Layer Security (TLS) protocol. We also use the latest and secure ciphers like AES_CBC/AES_GCM 256 bit/128-bit keys for email encryption. All data transfers on the web happen in secure mode (HTTPS). These ensure that your Zoho Mail data is protected from unauthorized access, disclosure, or modification both within and outside your organization's domain.

    The service data stored in Zoho Mail is Encrypted At Rest(EAR). All the data are encrypted in transit also. The highly secure physical controls at data centers and transit level encryption ensure that your data stays well protected.

    Besides the default encryption, the administrator can opt for an additional layer of encryption via S/MIME support which uses SSL certificate-based encryption.

  • Email Deletion

    Zoho Mail provides appropriate features in the web interface to allow users to delete their data. The users can delete their email data using the Delete option. However, if the admin has enabled retention and eDiscovery for the users, a copy of the email will be available in the eDiscovery portal based on the retention period defined by the administrator.

    When the admins delete the user accounts from the control panel, the data associated with the user will be scheduled for deletion and will be deleted within 30 days of actual user deletion.

  • Audit trail

    Zoho Mail provides extensive audit logs to record the activities from the Admin Panel. The admin audit logs are available for a period of 1 year. The users email logs can also be checked from Zoho Mail adminpanel. The email logs are available for a period of 90 days.

    Apart from that the logs can also be exported on need basis from the control panel by the administrator.

  • Data retention

    The administrators can enable eDiscovery (available in premium plans) - which creates a complete back up of emails based on the conditions chosen by the administrator. This can be enabled by the organization, for legal and compliance purposes - based on their requirements.

    Using eDiscovery, the administrators can define a retention period for the data that is being retained based on the preset conditions set by the administrators.

    eDiscovery is available only in the premium plans of Zoho Mail. The generic backup and recovery options are available in all the plans of Zoho Mail. The administrators can take periodic backup of email data, based on their requirement and store in their local storage. In case if any critical email data is deleted, the administrator can restore the emails, within 30 days of deletion.

  • Modification of Terms of Use

    Zoho reserves the right to modify the Terms. Modifications to the Terms are effective upon your use of Zoho Mail subsequent to publication of such modification.

  • Disclaimer: The content presented here is not to be construed as legal advice. This is a guideline on how Zoho Mail provides control to the organizations to be HIPAA compliant. Please contact your legal advisor to know how HIPAA is applicable and how it impacts your organization and the processes involved to be HIPAA compliant.