The short answer: Zoom Healthcare, Microsoft Teams (Business/Enterprise), Cisco Webex (paid plans), Google Meet through Google Workspace (paid), and Slack (Business+ and Enterprise Grid) can all be made HIPAA compliant — but only with a signed Business Associate Agreement (BAA). FaceTime, WhatsApp, Signal, Skype (consumer), and all free versions of every major platform are not HIPAA compliant and cannot be made so regardless of encryption settings or configuration. Using a non-compliant platform to discuss patient information is a direct HIPAA violation under 45 CFR Part 164, with penalties ranging from $100 to $50,000 per violation.


Already on a HIPAA-compliant video platform but not sure if your hosting environment is covered? HIPAA Vault provides managed HIPAA-compliant hosting for healthcare organizations — with a signed BAA, U.S.-based private servers, and 24/7 security monitoring.

See hosting plans →


Full Platform Comparison

🔄 Rotate your phone for a better view of the comparison table.
Platform HIPAA Compliant? BAA Available? Which Plan? Verdict
Zoom Yes Zoom Healthcare or Business/Enterprise Use paid plan + BAA
Microsoft Teams Yes Microsoft 365 Business/Enterprise Use paid plan + BAA
Google Meet Yes Google Workspace Business Plus+ Use paid plan + BAA
Cisco Webex Yes Webex Business/Enterprise Use paid plan + BAA
Slack Yes Business+ or Enterprise Grid Use qualifying plan + BAA
Zoom (free) No N/A Do not use for PHI
FaceTime No No plan available Do not use for PHI
WhatsApp No No plan available Do not use for PHI
Signal No No plan available Do not use for PHI
Skype (consumer) No No plan available Do not use for PHI
Facebook Messenger No No plan available Do not use for PHI

Don’t Trust Patient Data to Standard Web Hosting

Protect your practice from breaches and fines. Our hosting includes intrusion detection, firewalls, and audit logs.

Learn More

Why Video Conferencing Platforms Need HIPAA Compliance

Any time a healthcare provider discusses patient information — symptoms, diagnoses, treatment plans, test results — over a video call, that conversation involves protected health information (PHI). Under HIPAA, any technology platform that transmits, processes, or stores PHI must sign a Business Associate Agreement with the covered entity.

Without a BAA, using a video conferencing tool for patient consultations, care team discussions, or telehealth appointments is a direct HIPAA violation — even if the call itself is encrypted and seems secure.

The BAA requirement applies regardless of:

  • Whether you’re recording the call or not
  • Whether a patient is on the call or not
  • How brief the clinical discussion is

If PHI is mentioned, the platform must be covered by a signed BAA. The HHS Office for Civil Rights (OCR) has enforced this standard across a wide range of communication tools and has issued penalties exceeding $1 million for violations involving unsecured transmission of PHI.

As Gil Vidals, CTO and co-founder of HIPAA Vault, explains — the technology itself is only part of the equation:

“No matter how robust the technology is, you spend a lot of money on technology, and a lot of times there are breaches and other unauthorized access that happens because of the employee’s lack of training or malicious intent.”


Don't wait until it's too late. Download our free HIPAA Compliance Checklist and make sure your organization is protected.

Is Zoom HIPAA Compliant?

Zoom can be HIPAA compliant, but not on all plans. Zoom offers a Zoom Healthcare plan specifically designed for healthcare providers, as well as Business and Enterprise plans where a BAA can be executed. Zoom’s own documentation confirms that HIPAA compliance is only available on paid plans.

Zoom’s free plan is NOT HIPAA compliant. Zoom explicitly states that the free tier does not include a BAA and should not be used to transmit PHI.

What Zoom Requires for HIPAA Compliance

  1. Upgrade to Zoom Healthcare, Business, or Enterprise — the BAA is only available on paid plans
  2. Sign a BAA with Zoom — this is a separate step from upgrading your plan
  3. Disable cloud recordings unless using a HIPAA-compliant cloud storage solution
  4. Configure meeting settings — disable automatic AI summaries and third-party integrations that haven’t signed BAAs
  5. Use waiting rooms to verify participants before admitting them
  6. Train staff on proper use — not sharing screens containing PHI unnecessarily

Zoom Healthcare vs Business Plan

Zoom Healthcare adds features like virtual backgrounds branded for clinical settings and integration with EHR platforms, and is explicitly marketed for HIPAA-covered entities. For most clinical practices, Zoom Healthcare is the recommended path. The standard Business plan can also be made HIPAA compliant with a BAA, but requires more manual configuration.


Is Microsoft Teams HIPAA Compliant?

Yes — Microsoft Teams can be HIPAA compliant on Microsoft 365 Business Basic, Standard, Premium, and Enterprise plans. Microsoft signs a BAA as part of its Microsoft Online Services Terms, covering Teams alongside other Microsoft 365 services.

Microsoft Teams on personal Microsoft accounts is NOT HIPAA compliant. Only organizational (work/school) accounts on qualifying plans are covered.

What Teams Requires for HIPAA Compliance

  1. Use a qualifying Microsoft 365 plan — not a personal account
  2. Confirm your BAA with Microsoft — included in Online Services Terms for eligible plans
  3. Configure compliance settings — turn on audit logging, configure retention policies for messages and recordings
  4. Restrict external sharing — limit who can join meetings and what they can share
  5. Enable sensitivity labels — classify and protect content shared in Teams
  6. Train staff on proper use of Teams channels and chat for clinical communications

Microsoft Teams as Part of Microsoft 365

A key advantage of Teams is that it’s part of the broader Microsoft 365 ecosystem. If your practice already uses Outlook for HIPAA-compliant email, the same Microsoft 365 subscription often covers Teams — making it a cost-effective addition with a single BAA covering multiple services.


Is Google Meet HIPAA Compliant?

Google Meet can be HIPAA compliant when used through a paid Google Workspace plan where a BAA has been executed with Google. Google signs a BAA as part of Google Workspace Business and Enterprise plans, and Google Meet is explicitly listed among Google’s HIPAA-eligible services.

Google Meet through personal Gmail accounts is NOT HIPAA compliant. The free consumer version of Google Meet does not carry a BAA and should not be used for telehealth or clinical discussions.

What Google Meet Requires for HIPAA Compliance

  1. Use Google Workspace Business Plus or higher — not a personal Gmail/Meet account
  2. Execute a BAA with Google — available through the Google Workspace Admin console
  3. Verify Google Meet is on Google’s list of HIPAA-eligible services — Google publishes this list and Meet qualifies for paid Workspace plans
  4. Configure recording and storage settings — recordings stored in Google Drive must be in a HIPAA-configured Workspace environment
  5. Disable consumer-facing features — some Workspace settings need to be locked down for clinical use

Cisco Webex: HIPAA Compliance Explained

Is Cisco Webex HIPAA Compliant?

Yes — Cisco Webex offers HIPAA-compliant video conferencing on its Webex Business and Enterprise plans, where a BAA can be executed with Cisco. Cisco’s compliance documentation confirms BAA availability for qualifying plans.

The free Webex plan is NOT HIPAA compliant and does not include a BAA.

What Webex Requires for HIPAA Compliance

  1. Upgrade to a paid Webex Business or Enterprise plan
  2. Sign a BAA with Cisco Webex — reach out to Cisco’s sales team to execute
  3. Configure encryption settings — Webex supports end-to-end encryption; ensure it is enabled
  4. Review data retention settings — configure meeting recording retention per your organization’s policies
  5. Restrict participant access — use host controls to manage who can join and share

Cisco Webex has a strong presence in enterprise healthcare environments, particularly in hospital systems and large health networks. It integrates well with enterprise identity management systems like Active Directory and SSO.


Is Slack HIPAA Compliant?

Slack can be HIPAA compliant on its Business+ and Enterprise Grid plans, where a BAA can be executed. Slack’s compliance documentation confirms BAA availability on qualifying plans.

Slack’s Free and Pro plans are NOT HIPAA compliant. Only Business+ and Enterprise Grid include BAA coverage.

What Slack Requires for HIPAA Compliance

  1. Upgrade to Slack Business+ or Enterprise Grid
  2. Sign a BAA with Slack — available upon request for qualifying plans
  3. Configure message retention policies — set retention periods appropriate to your compliance requirements
  4. Restrict app integrations — only connect apps that have their own BAA coverage
  5. Enable audit logging — required for HIPAA compliance monitoring
  6. Train staff — Slack is primarily a messaging platform; ensure staff understand what can and cannot be shared in channels

Slack’s Role in Healthcare Communications

Slack is particularly useful for internal care team communications — coordinating schedules, sharing non-PHI updates, and managing workflows. When properly configured with a BAA, it can also support PHI-containing communications, but this requires careful channel management and integration vetting.


Platforms That Are Never HIPAA Compliant

Is FaceTime HIPAA Compliant?

No. FaceTime is not HIPAA compliant and cannot be made HIPAA compliant — under any plan or circumstance.

Apple does not offer a Business Associate Agreement for FaceTime. Even though FaceTime uses end-to-end encryption, encryption alone does not satisfy HIPAA requirements — the BAA is a legal requirement, not a technical one.

OCR exercised enforcement discretion for patient-initiated FaceTime calls during the COVID-19 public health emergency, but that discretion ended when the emergency declaration expired in May 2023. Providers must now use a HIPAA-compliant platform for all telehealth appointments.

The only lower-risk exception: If a patient initiates a FaceTime call for a non-clinical purpose and no PHI is discussed. However, best practice is always to redirect to a compliant platform.


Is WhatsApp HIPAA Compliant?

No. WhatsApp is not HIPAA compliant and cannot be made HIPAA compliant.

Meta does not offer a Business Associate Agreement for WhatsApp on any plan — personal or business. End-to-end encryption does not make it HIPAA compliant. HIPAA requires a BAA, proper audit logging, access controls, and data retention policies that WhatsApp does not support.

Do not use WhatsApp to:

  • Conduct telehealth video calls
  • Send photos of prescriptions or medical records
  • Discuss diagnoses, treatment plans, or test results
  • Share appointment details that could be linked to a health condition

Is Signal HIPAA Compliant?

No. Signal is not HIPAA compliant.

Signal is one of the most secure messaging apps available — it uses end-to-end encryption and does not store message metadata. However, Signal does not offer a Business Associate Agreement, does not support enterprise audit logging, and is not designed for healthcare compliance use cases.

Encryption is a necessary component of HIPAA compliance, but it is not sufficient on its own. The BAA is required regardless of how secure the underlying technology is.


Is Skype HIPAA Compliant?

Consumer Skype is not HIPAA compliant. Microsoft does not offer a BAA for the consumer version of Skype. If your organization needs a Microsoft video calling solution, Microsoft Teams on a qualifying Microsoft 365 business plan is the HIPAA-compliant alternative.


Is Facebook Messenger HIPAA Compliant?

No. Facebook Messenger is not HIPAA compliant and cannot be made so.

Meta does not offer BAAs for Messenger. Do not use Messenger for any clinical discussions or patient communications involving PHI.


What No HIPAA Compliant Video Platform Can Protect You From

Choosing the right platform is essential — but it is not the entire picture. The platform signs a BAA covering the infrastructure. What happens on the call is still your organization’s responsibility.

As Gil Vidals, CTO and co-founder of HIPAA Vault, explains:

“No matter how robust the technology is, you spend a lot of money on technology, and a lot of times there are breaches and other unauthorized access that happens because of the employee’s lack of training or malicious intent.”

Beyond choosing the right platform, healthcare organizations need:

  • Staff training on what can and cannot be discussed over video — and when to use secure messaging instead
  • Screen sharing policies — never share screens containing PHI unless the session is fully secured
  • Recording policies — know where recordings are stored and who can access them
  • Verification protocols — confirm patient identity before beginning a telehealth session

There is also an emerging threat specific to video calls: deepfake attacks. In 2024, a finance employee was tricked into transferring $25 million during a video call where every other participant was an AI deepfake simulation of real colleagues. The same technique could be used to impersonate physicians or administrators in a healthcare setting. The defense is practiced verification: if someone makes an unusual request over video, end the call and call them back on a verified number.

Gil Vidals on the broader threat landscape:

“The bad actors are getting more sophisticated every year. The tools that used to require nation-state resources — now somebody with a laptop and a subscription can run those attacks. Healthcare is the number one target because the data is worth so much.”


Is your video conferencing covered — but your hosting environment isn’t? A BAA with Zoom or Teams only covers those platforms. Your website, patient portal, may still be out of compliance.

Talk to a HIPAA Vault specialist →


Free Video Conferencing and HIPAA: The Definitive List

No free video conferencing plan from any major vendor is HIPAA compliant. This includes:

  • ❌ Free Zoom
  • ❌ Free Google Meet (personal Gmail)
  • ❌ Microsoft Teams (personal accounts)
  • ❌ Free Webex
  • ❌ Free Slack (Free and Pro plans)
  • ❌ FaceTime (any version)
  • ❌ WhatsApp (any version)
  • ❌ Signal
  • ❌ Skype (consumer)
  • ❌ Facebook Messenger

If a patient initiates a call using one of these platforms, the provider has not automatically violated HIPAA by answering — OCR has historically exercised some discretion for patient-initiated communications. However, providers should not initiate patient calls using non-compliant platforms, should avoid discussing PHI on them, and should document that the patient was offered a secure alternative.


Which Platform Should You Choose?

The best choice depends on your existing technology stack:

If you already use…Consider…
Microsoft 365 for email and productivityMicrosoft Teams — BAA likely already in place
Google Workspace for emailGoogle Meet — easy to add to existing BAA
A mix of vendors or no existing suiteZoom Healthcare — purpose-built for clinical use
Large enterprise with Cisco infrastructureCisco Webex — strong enterprise controls
Internal team messagingSlack Business+ or Enterprise Grid

All five platforms are capable of meeting HIPAA requirements. The decision often comes down to what your practice already uses, total cost, and workflow fit.


What About Your Hosting Environment?

A signed BAA with your video conferencing platform only covers that platform. If your organization also runs a healthcare website, patient portal, or WordPress site that handles PHI, those environments need their own HIPAA-compliant infrastructure and BAA.

HIPAA Vault provides fully managed HIPAA-compliant hosting for healthcare organizations — running on U.S.-based private servers with AES-256 encryption, Web Application Firewall, daily backups, 24/7 malware monitoring, and a signed BAA included on every plan.

View hosting plans →  |  Talk to a specialist →


Frequently Asked Questions


This article is based on publicly available information about each platform’s HIPAA compliance posture as of 2026. Platform policies, pricing, and BAA availability may change — always verify current BAA terms directly with each vendor before implementation. This content is educational and does not constitute legal advice.