As telehealth becomes mainstream, many clinics and providers turn to Zoom for video visits. Its ease of use and familiar interface make it a popular choice. But when PHI is on the line, you must ask: is Zoom HIPAA compliant?
HIPAA requires covered entities and their business associates to safeguard Protected Health Information (PHI) with specific administrative, technical, and physical controls. This guide explains Zoom’s HIPAA eligibility, critical security settings, and how to configure Zoom for truly compliant telehealth sessions.
Is Zoom HIPAA compliant?
Zoom offers a HIPAA-compliant plan for healthcare customers who sign a Business Associate Agreement (BAA). Under this agreement, Zoom commits to meeting HIPAA’s technical safeguards for ePHI, including encryption and access controls. However, simply choosing the plan is not enough—proper configuration and organizational policies are equally crucial.
Zoom’s BAA and Platform Eligibility
Zoom’s standard free and Pro accounts do not qualify for HIPAA compliance. To use Zoom for PHI, you must purchase a Zoom for Healthcare license and execute Zoom’s BAA. This BAA covers core services—Meetings, Video Webinars, Zoom Phone, Zoom Rooms, and the Zoom client—ensuring Zoom is contractually obligated to handle ePHI securely. Without the BAA, any use of Zoom to transmit PHI would violate HIPAA’s Privacy and Security Rules.
Source: Zoom Support, “HIPAA Compliance” (https://support.zoom.us/hc/en-us/articles/360034919511-HIPAA-compliance)
Key Technical Safeguards in Zoom for HIPAA
Zoom encrypts meeting data in transit using AES 256-bit GCM encryption with TLS 1.2 for signaling. This protects audio, video, and chat content as it moves between endpoints. At rest, recordings and chat files can be encrypted if you enable that option.
Waiting rooms and passcodes prevent unauthorized participants from entering a session. Hosts can lock the meeting once all participants have joined, further restricting access. Role-based access controls ensure only licensed hosts on your account can start or record meetings.
By default, Zoom stores recorded sessions in their cloud. You should enable Zoom’s “Require encryption for third-party endpoints” and “Store encryption key in a secure vault” options to protect recordings and ensure only authorized users can play or download them.
Administrative Requirements: Policies & Training
HIPAA compliance extends beyond technology. Your organization must implement clear policies for telehealth sessions, including guidelines on when and where PHI can be discussed. Staff should receive annual HIPAA training that covers using Zoom securely—such as verifying patient identity, using private rooms, and avoiding PHI in chat messages.
Document an incident response plan that outlines steps for reporting, investigating, and remediating any unauthorized disclosures. Regularly review your Zoom logs for unusual activity, such as repeated failed logins or recording downloads by unrecognized accounts.
Source: HHS Telehealth Guidance (https://www.hhs.gov/hipaa/for-professionals/special-topics/telehealth/index.html)
Configuring Zoom for HIPAA Compliance
Start by enabling your Zoom for Healthcare license and signing the BAA. In your account settings, turn on the HIPAA-specific profile. Require meeting passcodes and enable the waiting room by default. Disable “Join before host” to prevent unattended sessions.
For recordings, choose local or cloud recordings only with end-to-end encryption enabled. Restrict recording downloads to hosts or specified user groups. Disable annotations and private chat for participants to limit PHI exposure in chat logs.
Integrate Zoom with your electronic health record (EHR) system using Zoom’s secure API. This ensures sessions and metadata are logged in your patient records without manual entry, reducing transcription errors and audit gaps.
Common Pitfalls & How to Avoid Them
Using a free Zoom account to host patient calls instantly breaks HIPAA compliance. Public links shared via email or social media can lead to unintended access. Allowing participants to annotate or screen-share without supervision risks exposing PHI inadvertently.
Another common mistake is storing recordings in shared cloud drives without encryption. Always verify that recordings are encrypted at rest and accessible only to authorized personnel. Finally, neglecting to train staff on these settings can result in misconfigurations—regular audits help catch errors before they lead to a breach.
How HIPAA Vault Complements Zoom
While Zoom secures the video layer, your backend infrastructure also needs protection. HIPAA Vault provides compliant hosting, encrypted email, and SFTP services that integrate seamlessly with Zoom. Our environments include automated patching, intrusion detection, and full audit logging. We offer BAAs for all our services and expert support to ensure your entire telehealth workflow remains compliant—from video calls to patient data storage.
Conclusion & Next Steps
Zoom can be HIPAA compliant when used under the proper plan, with a signed BAA and stringent configurations. But compliance requires more than technology. You need well‑defined policies, ongoing staff training, and a secure infrastructure.
Ensure your telehealth practice covers every angle. Partner with HIPAA Vault for comprehensive, HIPAA‑ready hosting and support. Secure your telehealth workflow today.
