Is Zoom HIPAA-Compliant?
By Stephen Trout, , HIPAA Blog, HIPAA Hosting, Resources, Security

We’ve all heard the painful cries: “Ugh! I thought I was on mute!”; “Oh my, was that on video?”; “Did she really just post that chat?”   

The Zoom horror stories are now being told – and just in time for Halloween. Classrooms, businesses – even network news contributors – have all had their share of mortifying (and even career-altering) moments while adjusting to a new way of relating.

To be sure, pandemic quarantining and safety concerns propelled video conferencing apps (colloquially referred to as “Zoom”) to new heights; yet despite the actual Zoom’s widespread popularity – in use now by more than 750,000 businesses – it was a lack of inherent security that brought Zoom down to earth with a horror story of its own. 

Protected Healthcare at Risk

For healthcare, HIPAA’s privacy requirements for protected health information (PHI) were at issue.

Although numerous healthcare organizations around the globe have used Zoom for years – for patient consults especially – HIPAA regulations must govern usage in the United States.  

Zoom – a low-cost, cloud-based provider of video and web conferencing – had touted the use of “end-to-end encryption” to protect sensitive data. This proved not to be adequate, however, as the encryption between the Zoom server and client was deemed insufficient. 

The result? ‘Zoom bombings’ – in which hackers were successful in stealing patient ids and other sensitive data taken from recordings – led some companies to even ban the use of the technology. 

In March 2020, a lawsuit citing the above security risks was filed. The suit also claimed that Zoom allowed personal data to be shared with Facebook, Google, and LinkedIn. Eventually, the company settled for $86 million, promising to fix the privacy and security issues.

Is Zoom HIPAA Compliant?

Hands down, Zoom is the most popular, global video call platform. Some 80 countries currently use Zoom as their primary video-calling app. Google Meet – which also offers a free plan – is in second place with 28 countries naming it as their top tool, followed by Microsoft Teams with 7 countries. 

Zoom’s popularity, in part, owes to its provision of a free version that permits up to 100 participants to meet for up to 40 minutes. Many cash-strapped schools have made welcome use of this technology. Yet how does this apply to healthcare?

All software solutions that handle protected health information (PHI) are subject to HIPAA regulations. They must apply a range of safeguards – including technical, physical, and administrative – to maintain the privacy, integrity, and confidentiality of sensitive data. 

Zoom released a scalable, cloud-based telehealth service in 2017, specifically designed for compliant communications between providers and their patients. 

The usual HIPAA safeguards were employed: access/authentication controls, end-to-end AES-256 bit encryption for all communications, and integration with the Epic electronic health record system. 

Still, the question of whether Zoom “out-of-the-box” is HIPAA-compliant needs examination.

So is Zoom HIPAA compliant? Should the platform be used by healthcare providers, plans, and clearinghouses (aka, “HIPAA-covered entities”)? 

If so, Zoom would be considered a business associate. They must consent to sign a BAA with any HIPAA-covered entity to protect their data and maintain privacy – before offering their services. 

To their credit, Zoom acted quickly to keep its promises to improve security, announcing the release of 100 new safety features in July, 2020. These included:

  • end-to-end encryption for all users
  • meeting passwords by default
  • user-choice of data centers from which calls are routed from
  • security expert consults 
  • the formation of a CISO council
  • improved bug bounty program, and 
  • third party testing of security features 

And as it stands now, Zoom is prepared to sign a business associate agreement. They ensure that all security controls required for a HIPAA-compliant platform have been implemented. 

So the answer, then – for Zoom’s part – is Yes, Zoom is HIPAA-compliant for use in healthcare – with a BAA. As we often point out, however, all users (patients included) are responsible to use the tool in a HIPAA-compliant manner. 

Zoom’s HIPAA Compliant Features 

As summarized by Compliancy Group, with a BAA in place, Zoom meets HIPAA Security Rule requirements, since,

1. “…zoom contains authentication measures. Authentication consists of implementing procedures to verify that a person or entity seeking access to electronically protected health information is the person he or she claims to be. Zoom, on its website, indicates that it provides two common types of authentication:

  • OAuth 2.0, for authenticating a user context;  and 
  • JSON Web Tokens (JWT) for authenticating server-to-server apps. 

Zoom states on its website that JWT authentication is best used for transmitting data to and from Zoom between trusted services or servers.

2. Zoom contains access control measures. The Security Rule requires access controls. Access controls regulate who or what can view or use resources in a computing environment. Access controls are necessary so that only those with a legitimate need to access ePHI are given access to that ePHI.

3. Zoom uses end-to-end encryption to secure all communications. End-to-end encryption is necessary to ensure only the sender and recipient of an electronic message can read the content of that message. The setting “Require Encryption for 3rd Party Endpoints (H323/SIP)” is enabled for all members of an account, upon sign-in.

Upon signing a BAA with Zoom, the following security measures are enacted on a Zoom account:

  • Cloud Recording will be disabled.
  • Encrypted chat will be enabled.
  • The setting “Require Encryption for 3rd Party Endpoints (H323/SIP)” will be enabled for all members of an account.
  • Text messages will be encrypted.
  • Offline messages will only be available after all parties initiate a cryptographic key exchange.”

The Video-Conference Boon

Globally, the video conferencing market is primed for growth, expected to reach $19.73 billion by 2030. No doubt healthcare will play a large role, as video conferencing benefits hard-to-reach populations, facilitates streamlining of appointments, and continues to help prevent the spread of infections.  

The pandemic has no doubt changed us all; yet even as in-person classes for students and most social gatherings have largely resumed, video conferencing – now an accepted tool for remote work as well as healthcare delivery – appears here to stay.

HIPAA Vault is a leading provider of HIPAA-compliant solutions, including secure Linux hosting and HIPAA WordPress, and is a Certified Google Technology Partner. We enable healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. For more information, please visit our website at www.hipaavault.com.

Stephen is an award-winning writer with a depth of experience in healthcare security and HIPAA compliance. In addition to writing for HIPAA Vault, his work has been published in Security Magazine, New England Society for Healthcare Communications, and others. Stephen has a degree in Engineering from Temple University, and can be reached at strout@hipaavault.com.