Archive & Data Protection

    Is Zoom HIPAA Compliant?

    Ensuring HIPAA Compliance with Zoom: Key Considerations for Healthcare Organizations

    by Emily Schwenke

    Key Points

    • This blog was originally posted on the Aware website, but with the acquisition of Aware by Mimecast, we are ensuring it is also available to visitors to the Mimecast website.
    • Zoom for Healthcare, paired with a signed Business Associate Agreement (BAA), includes critical features like end-to-end encryption and secure messaging to support HIPAA compliance.
    • Additional measures, such as using meeting passcodes, enabling waiting rooms, and implementing strong access controls, enhance Zoom’s suitability for handling PHI securely.

    Zoom is a cloud-based video conferencing platform and instant messaging software used by businesses of all sizes in all industries to bring teams together and collaborate faster and more effectively in the workplace. However, Zoom users in highly regulated industries like healthcare must abide by government legislation such as HIPAA. Healthcare providers must take additional steps when using Zoom to ensure they are doing so in a HIPAA-compliant way. 

    What is Zoom? 

    A popular video conferencing tool, Zoom allows users (with or without a Zoom account) to conduct virtual meetings participants from all over the world. Zoom is a popular platform for business use and became hugely popular when employees were forced to work remotely during the pandemic. Zoom provides real-time video and chat and includes features such as screen sharing, webinar hosting, automatic transcriptions and more. Zoom is available for almost all devices and operating systems. 

    What is Zoom Team Chat? 

    Zoom Team Chat is a messaging feature in the Zoom video conferencing platform that allows users to send text-based messages during a Zoom meeting or outside of a meeting. This enables real-time communication between team members, whether they're in the same physical location or remote. With Zoom Team Chat, users can share ideas, files, and links, and collaborate on projects in a streamlined way across private and group messages and public channels organized by topic. 

    What is HIPAA? 

    Under American law, sensitive information about your health and medical treatment is protected by The Health Insurance Portability and Accountability Act (HIPAA). This Act creates national standards for controlling protected health information (PHI) and electronic PHI (ePHI). HIPAA covered entities, such as healthcare providers, must follow a strict set of standards to ensure that the PHI they handle is not unlawfully accessed or exfiltrated.  

    Is Zoom HIPAA compliant in 2023? 

    Zoom's standard service does not meet the requirements of HIPAA, so healthcare organizations should use the dedicated Zoom for Healthcare service, especially when providing telehealth services. Zoom for Healthcare is purpose-built to meet the security and privacy standards required by HIPAA by safeguarding the protected health information (PHI) shared within Zoom meetings. However, because Zoom technology is not certifiable by either the Office of the National Coordinator for Health Information Technology or the National Institute of Standards and Technology, Zoom is not officially HIPAA certified. 

    What is Zoom for Healthcare? 

    Zoom has a specific service, called Zoom for Healthcare, which is designed to meet the requirements of HIPAA. This service includes features such as end-to-end encryption, access controls, and secure messaging, which can help to protect the confidentiality, integrity, and availability of patient information. 

    Why is Zoom not HIPAA compliant in all cases? 

    HIPAA is a series of data protection standards that apply to protected health information (PHI). Because this data is confidential, it requires more secure and considered treatment than other, less sensitive types of data. 

    Zoom was designed to make communication and information sharing faster and easier. Adhering to strict data security regulations in all instances would make Zoom harder to use, ultimately defeating its primary purpose in the marketplace. Therefore, tools like Zoom are not HIPAA compliant as standard, but have the capability to be used in a HIPAA compliant way. 

    Is Zoom HIPAA compliant with a BAA? 

    When doing business, organizations covered under the HIPAA Privacy Rule, such as healthcare providers, must ensure their partners, associates, and contractors also safeguard any PHI data they handle. A HIPAA Business Associate Agreement (BAA) is a legal agreement that outlines the precautions each party will take to protect PHI and keep that information secure. Zoom will enter into BAAs with Zoom for Healthcare users or those on Zoom paid plans. This is an important step for any covered entity to comply with HIPAA while using Zoom. 
    What Zoom plan is HIPAA compliant? 

    To protect PHI, healthcare providers should use the Zoom for Healthcare plan for telehealth, patient consultations, and other web conferencing needs where PHI could be shared. Other versions of Zoom, such as Zoom Pro, and bundles like Zoom One, can be used in ways that comply with HIPAA regulations but may not contain all the necessary features to ensure data privacy. Zoom Basic, the free Zoom plan, is not HIPAA compliant because it does not allow users to enter into a BAA with Zoom. 

    How to make Zoom calls and meetings HIPAA compliant 

    HIPAA compliance involves securing PHI data. Therefore, following general data security best practices can help a company to use Zoom in a way that complies with HIPAA regulations. Some examples of how to protect PHI and sensitive data in Zoom meetings includes: 

    • Always using a meeting passcode, even when using your Personal Meeting ID 
    • Approve and admit participants individually using the Waiting Room feature 
    • Restrict meeting participants to signed-in accounts or users from specific domains 
    • Lock meetings to prevent users from joining after the start time 
    • Disable screen sharing and recording features for meeting participants 

    In many instances, account owners can automatically enable these settings for all users, so you can ensure employees always follow best information security best practices while using Zoom. 

    What other steps are required to make Zoom HIPAA compliant? 

    Zoom can be HIPAA compliant for telemedicine if certain security and privacy measures are implemented. Some of the security features included in Zoom for Healthcare that make it HIPAA compliant include: 

    1. End-to-end encryption: Zoom for Healthcare provides end-to-end encryption for all video calls, audio, and chat content to protect the confidentiality of patient information.
    2. Access controls: Zoom for Healthcare allows users to restrict access to meetings and control who can join, share content, and participate in the meeting.
    3. Secure messaging: Zoom for Healthcare provides secure messaging to allow healthcare providers to communicate with patients and other healthcare professionals while protecting the privacy of patient information.
    4. Signed Business Associate Agreement (BAA): Zoom for Healthcare provides a signed Business Associate Agreement (BAA) that outlines the responsibilities and obligations of Zoom as a HIPAA business associate. 

    To ensure that Zoom is fully HIPAA compliant, organizations should also implement additional security measures, such as setting up strong passwords, configuring two-factor authentication, and training employees on HIPAA compliance. 

    Are Zoom transcriptions HIPAA compliant? 

    Zoom offers Business, Education, and Enterprise license customers the ability to generate live audio transcriptions of meetings. These are machine-generated transcriptions using speech-to-text software and have varying degrees of accuracy depending on audio quality, speaker accents, background noise, and complexity of language used. For Zoom for Healthcare users, live transcriptions can be helpful when speaking with patients who are deaf or hard of hearing. Zoom for Healthcare users also have the ability to download an audio transcript and save it to their patient’s electronic health records. 

    Any user within the Zoom call can save the written transcription unless this feature is disabled by the meeting host. This can compromise PHI data if the file is not saved in a secure repository and should be considered before users generate a transcription using Zoom. 

    How does Mimecast support HIPAA compliance in Zoom Team Chat? 

    Aware collaboration intelligence platform connects with Zoom Team Chat to automatically flag data security risks in real time. 

    • Comprehensive privacy and compliance features  
    • Strict role-based access controls (RBAC) 
    • Granular retention policies for data regulation 
    • Real-time compliance adherence and risk detection 

    Using Aware, healthcare organizations can safeguard PHI through robust compliance adherence workflows backed by industry-leading natural language processing (NLP). Administrators can customize permissions for their organization to target restricted information for more accurate results and fewer false positives, making HIPAA compliance faster and easier to implement and maintain in Zoom Team Chat.  

    Aware also supports advanced federated search capabilities to identify sensitive information within Zoom Team Chat by a wide range of parameters, including regular expression (regex), keyword, custodian, date/time, sentiment and more. This supports faster, more efficient internal investigations, security incident responses, and freedom of information inquiries. 

    With Aware, healthcare organizations can support HIPAA-compliant data management policies in Zoom Team Chat in conjunction with native Zoom HIPAA capabilities and internal policies and procedures. 

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top