Is Zapier HIPAA Compliant?

by

Zapier is not HIPAA compliant and cannot be used to connect apps that create, receive, store, or transmit Protected Health Information (PHI) because many of the apps themselves do not support HIPAA compliance. Removing the apps from the platform would limit Zapier’s automation capabilities and the benefit of automation to healthcare organizations.  

 Zapier is a cloud-based task automation platform, but as with other such platforms, there is a question is Zapier HIPAA compliant. Zapier connects other app together to streamline the automation of repetitive tasks. This allows efficient workflows, easing administrative tasks. This is particularly attractive in busy healthcare settings, but all organizations that are subject to HIPAA compliance must ensure that any software with access to PHI is HIPAA compliant.

There are a few considerations for software to be deemed HIPAA compliant. The software must ensure that any PHI uploaded to the platform (be it only temporarily or for storage) can be hosted in accordance with the HIPAA Security Rule. This rule stipulates the minimum safeguards needed to maintain the confidentiality, integrity, and availability of PHI. Zapier meets many of the minimum safeguards and is certified as SOC II (Type 2) compliant.

Why Isn’t Zapier HIPAA Compliant?

Although Zapier has excellent privacy, security, and compliance tools, the platform does not support HIPAA compliance because many of the apps used in automation chains (or “zaps”) do not themselves support HIPAA compliance. These include, but are not limited to, ChatGPT, Calendly, PayPal, and HoneyBook. In addition, Zapier uses a number of sub-processors in the automation process and some of these also do not support HIPAA compliance.

Consequently, Zapier will not enter into a Business Associate Agreement with HIPAA covered entities and states in its guide to Data Privacy “The use of regulated healthcare and medical data like HIPAA is not supported on Zapier. Zapier also can’t sign business associate agreements (BAAs) or equivalent agreements for handling protected health information (PHI) or other similar information.” As Zapier will not enter into a Business Associate Agreement, HIPAA covered entities cannot use the platform to create, receive, store, or transmit PHI.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]