Zoom can be HIPAA compliant for HIPAA Covered Entities and Business Associates when the organization uses a Zoom business account that supports a Business Associate Agreement with Zoom Video Communications Inc., enables and applies the available security controls, configures the service to meet HIPAA Security Rule requirements, and limits uses and disclosures of protected health information under the HIPAA Privacy Rule and the HIPAA Minimum Necessary Rule.
Zoom is a cloud based video and web conferencing platform that supports meetings, file sharing, collaboration, webinars, and a business instant messaging service. When the platform is used to create, receive, maintain, or transmit protected health information, the platform provider is treated as a business associate and the covered entity remains accountable for compliant use of the platform by its workforce.
A Business Associate Agreement is the gating requirement for HIPAA compliant use of Zoom with protected health information. Zoom offers a standard Business Associate Agreement for covered entities on selective plans, and the covered entity cannot substitute its own agreement. The agreement functions as a written contract that confirms Zoom’s responsibilities for the privacy and security of protected health information and supports the covered entity’s vendor management documentation for a platform that will handle protected health information.
Configuration and operational controls determine whether a covered entity’s use of Zoom meets HIPAA requirements in practice. Covered entities using Zoom for protected health information are responsible for configuring the platform in compliance with the HIPAA Security Rule, training workforce members on compliant use, and applying role based rules for when and how protected health information is shared. Zoom’s controls do not prevent all HIPAA violations if users disclose protected health information beyond the minimum necessary or disclose protected health information to an unauthorized person. Workforce workflows should include identity verification steps before disclosing protected health information during a session when identity is not otherwise established.
Zoom has offered a healthcare focused service since April 2017, when it announced a scalable cloud based telehealth service for the healthcare industry, now named Zoom Workplace for Healthcare. The healthcare offering includes access and authentication controls, event logs, and end to end AES 256 bit encryption for communications, and it integrates with the Epic electronic health record system to support healthcare workflows. The platform also supports custom integrations that can automate clinical and administrative workflows. In 2022, Zoom announced a partnership with a global telehealth integrator and stated that the platform had been enhanced to support full enterprise healthcare workflows.
Zoom’s contractual and technical commitments should be matched to the covered entity’s governance model. Zoom’s Business Associate Agreement includes statements about reasonable and appropriate safeguards to prevent inappropriate uses and disclosures of protected health information and references compliance obligations aligned with the HIPAA Security Rule at 45 CFR Part 164 Subpart C. In 2023, Zoom added an AI Companion to subscription tiers, and some AI features are automatically disabled when a covered entity signs a Business Associate Agreement. The Security Officer and Privacy Officer roles are responsible for ensuring the platform configuration and workforce use align with HIPAA requirements.