HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Is Zoom HIPAA Compliant?

Zoom is a popular video and web conferencing platform that has been adopted by more than 750,000 businesses, but is the service suitable for use by healthcare organizations for sharing PHI. Is Zoom HIPAA compliant?

What is Zoom?

Zoom is a cloud-based video and web conferencing platform that allows workers across multiple locations to take part in meetings, share files, and collaborate. The platform supports webinars and includes a business IM service.

Zoom has already been adopted by many healthcare organizations around the globe who use the platform to consult with other providers and communicate with patients. However, in the United States, healthcare providers, health plans, and healthcare clearinghouses (collectively “HIPAA covered entities”) using the platform must comply with HIPAA Rules.

Any software solution use to share patient information must incorporate a host of security protections to ensure protected health information (PHI) is safeguarded. Further, cloud-based platform providers (i.e. in this case Zoom) are classed as a business associates and are also required to comply with HIPAA Rules if their platforms are to be used to share PHI.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Zoom and HIPAA Compliance

As a business associate, Zoom would be required to enter into a contract with a HIPAA covered entity before its service can be used to share PHI. That contract – a Business Associate Agreement – serves as a confirmation that Zoom is aware of its responsibilities with regards to the privacy and security of PHI.

Zoom is prepared to sign a business associate agreement with healthcare organizations and has ensured that its platform incorporates all of the necessary security controls to meet the strict requirements of HIPAA.

In April 2017 Zoom announced that it had launched the first scalable cloud-based telehealth service for the healthcare industry. Zoom for Telehealth allows enterprises and providers to communicate easily with other organizations, care teams, and patients in a HIPAA-compliant manner.

The service incorporates access and authentication controls, all communications are secured with end-to-end AES-256 bit encryption, and the platform integrates with the Epic electronic health record system to support healthcare workflows.

This year Zoom announced that it has partnered with a global telehealth integrator and that its platform has been further enhanced to support full enterprise healthcare workflows.

Is Zoom HIPAA Compliant?

Zoom is a HIPAA compliant web and video conferencing platform that is suitable for use in healthcare, provided a HIPAA covered entity enters into a business associate agreement with Zoom prior to using the platform and uses the platform compliantly (i.e. adhering to the HIPAA Minimum Necessary Standard).

It is still possible for HIPAA Rules to be violated using the platform, so users must be aware of their responsibilities with respect to patient privacy, and only share or communicate PHI with individuals authorized to receive the information. It is the responsibility of the covered entity to ensure Zoom is used correctly and HIPAA Rules are always followed.

Update March 2020: There were serious concerns about the security of Zoom.  This creates doubts about using Zoom for communicating medical information, which needs to be fully protected under HIPAA.  Zoom has publicly committed to upgrading its security and fixing all security problems.

Update for February 2022: These technical issues have now largely been resolved and as of February 2022 Zoom offers a business associate agreement to organizations in the healthcare industry.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.