Secure transactional email with HIPAA compliance

  • The Health Insurance Portability and Accountability Act, HIPAA (including the Privacy Rule, Security Rule, Breach Notification Rule, and Health Information Technology for Economic and Clinical Health Act), requires Covered Entities and Business Associates to take certain measures to protect health information that can identify an individual. It also provides certain rights to individuals. Zoho does not collect, use, store or maintain health information protected by HIPAA for its own purposes. However, ZeptoMail provides features to help the administrators to configure and use email within the premises of HIPAA compliance.

    HIPAA requires Covered Entities to sign a Business Associate Agreement (BAA) with their Business Associates. You can request our BAA template by sending an email to

  • ZeptoMail features to protect ePHI

    We identify the following items as ePHI:

    1. Email content
    2. Recipient email address
    3. Recipient name
    4. Attachments

    ZeptoMail provides the following features and controls that allow administrators to implement a HIPAA-compliant email service for their organization.

  • User roles and permissions

    ZeptoMail provides role-based access to all accounts. Postmaster, Engineer and Viewer roles can be assigned to users to manage their create, view, edit and delete permission on entities like domains, Mail Agents, reports etc.

    Users can also be provided access to specific Mail Agents (Email groups) that they'll need access to instead of giving everyone access to all the emails.

  • Encryption

    Emails are stored on ZeptoMail servers in an encrypted format. Data is split into fragments and each fragment is then further encrypted before being stored on our disks. The keys that are used for encryption are managed with the utmost safety and reliability. The Data transmissions when using ZeptoMail via SMTP are encrypted using Transport Layer Security (TLS) protocol. We also use the latest and secure ciphers like AES_CBC/AES_GCM 256 bit/128-bit keys for email encryption. All data transfers on the web happen in secure mode (HTTPS). These ensure that your ZeptoMail data is protected from unauthorized access, disclosure, or modification both within and outside your organization's domain.

    The service data stored in ZeptoMail is Encrypted At Rest(EAR). All the data are encrypted in transit also. The highly secure physical controls at data centers and transit level encryption ensure that your data stays well protected. You can find more information on our Security page.

  • IP Restrictions

    ZeptoMail gives users the option to restrict the IPs from which emails are sent. They can add IP addresses/ranges that are authorized for email sending. While users can access the account from any IP, email sending will only be allowed from the provided IPs.

  • Spam rate monitoring

    ZeptoMail verifies each new account to ensure that our user's usage is compatible with our platform. Even after account creation, accounts are closely monitored for spam rates and usage to ensure there is no misuse of our service.

  • Two Factor Authentication

    Secure your account from unauthorized access with two-factor authentication. You can use Zoho OneAuth application, Touch ID, or even send codes to yourself as an extra layer of defense during login.

  • Activity Logs

    Every account has an Activity Logs sections that allows users to track all actions performed by every user added to their account. Action can be newly created entity, modification or deletion of an entity.

    The Activity Logs mention the details of the user, action performed by the user, date and time of the action and the entity the action was performed on. The Activity Logs will be stored for a period of 1 year from the date of the action. The logs can be exported on request by the user. They can write to to have the logs exported.

  • Email Authentication Protocols

    Transactional emails carry crucial information that is specific to your users. In order to ensure the protection of these emails, we have iron-clad verification and monitoring procedures in place. Every domain added in ZeptoMail for email sending has to be verified. Domains are verified in ZeptoMail using SPF ( Sender Policy Framework), DKIM ( DomainKeys Identified Mail) and DMARC ( Domain-based Message Authentication Reporting and Conformance).

  • Modification of Terms of Use

    Zoho reserves the right to modify the Terms. Modifications to the Terms are effective upon your use of ZeptoMail subsequent to publication of such modification.

  • Disclaimer: The content presented here is not to be construed as legal advice. This is a guideline on how ZeptoMail provides control to the organizations to be HIPAA compliant. Please contact your legal advisor to know how HIPAA is applicable and how it impacts your organization and the processes involved to be HIPAA compliant.