Share this article on:
Zoom is a popular video and web conferencing platform that has been adopted by more than 750,000 businesses, but is the service suitable for use by healthcare organizations for sharing PHI. Is Zoom HIPAA compliant?
What is Zoom?
Zoom is a cloud-based video and web conferencing platform that allows workers across multiple locations to take part in meetings, share files, and collaborate. The platform supports webinars and includes a business IM service.
Zoom has already been adopted by many healthcare organizations around the globe who use the platform to consult with other providers and communicate with patients. However, in the United States, healthcare providers, health plans, and healthcare clearinghouses (collectively “HIPAA covered entities”) using the platform must comply with HIPAA Rules.
Any software solution use to share patient information must incorporate a host of security protections to ensure protected health information (PHI) is safeguarded. Further, cloud-based platform providers (i.e. in this case Zoom) are classed as a business associates and are also required to comply with HIPAA Rules if their platforms are to be used to share PHI.
Zoom and HIPAA Compliance
As a business associate, Zoom would be required to enter into a contract with a HIPAA covered entity before its service can be used to share PHI. That contract – a Business Associate Agreement – serves as a confirmation that Zoom is aware of its responsibilities with regards to the privacy and security of PHI.
Zoom is prepared to sign a business associate agreement with healthcare organizations and has ensured that its platform incorporates all of the necessary security controls to meet the strict requirements of HIPAA.
In April 2017 Zoom announced that it had launched the first scalable cloud-based telehealth service for the healthcare industry. Zoom for Telehealth allows enterprises and providers to communicate easily with other organizations, care teams, and patients in a HIPAA-compliant manner.
The service incorporates access and authentication controls, all communications are secured with end-to-end AES-256 bit encryption, and the platform integrates with the Epic electronic health record system to support healthcare workflows.
This year Zoom announced that it has partnered with a global telehealth integrator and that its platform has been further enhanced to support full enterprise healthcare workflows.
Is Zoom HIPAA Compliant?
Zoom is a HIPAA compliant web and video conferencing platform that is suitable for use in healthcare, provided a HIPAA covered entity enters into a business associate agreement with Zoom prior to using the platform and uses the platform compliantly (i.e. adhering to the HIPAA Minimum Necessary Standard).
It is still possible for HIPAA Rules to be violated using the platform, so users must be aware of their responsibilities with respect to patient privacy, and only share or communicate PHI with individuals authorized to receive the information. It is the responsibility of the covered entity to ensure Zoom is used correctly and HIPAA Rules are always followed.
Update March 2020: There are now serious concerns about the security of Zoom. This creates doubts about using Zoom for communicating medical information, which needs to be protected under HIPAA.