Are Zoom Video Meetings HIPAA Compliant?
Prior to the coronavirus outbreak, most experts assumed that the telehealth service, Zoom, offered HIPAA-compliant video meeting services. Since the outbreak, an admission by Zoom that end-to-end encryption does not extend to Zoom video meetings, has cast that assumption into doubt.
What Problems Have Been Discovered with Zoom Video Meetings?
Zoom provides remote video and web conferencing services for businesses and individuals. Since the COVID-19 outbreak, use of Zoom video meetings has become particularly popular with telehealth providers. The use of telehealth has increased dramatically since the outbreak began. In recognition of this reality, the Department of Health and Human Services (HHS) announced it would apply enforcement discretion with respect to communications made during provision of telehealth services. Specifically, HHS announced that telehealth providers will not be subject to certain HIPAA fines in providing remote telehealth communications.
Under its notice of enforcement discretion, HHS stated that health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without risk that the Office for Civil Rights might impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency. Notably, HHS stated that OCR would not impose penalties against covered health care providers for the lack of a business associate agreement with a video communication vendor.
At the time of the announcement, Zoom did not appear to present a compliance issue in the first place. Zoom had for several years publicly represented that it would sign a business associate agreement with healthcare organizations. Zoom also had represented that it had taken steps to ensure its platform incorporated all of the necessary security controls to satisfy the HIPAA Security Rule.
Zoom had stated that its application contained the following security features (among others):
- Authentication measures: OAuth 2.0, for authenticating a user context; and JSON Web Tokens (JWT) for authenticating server-to-server apps.
- Access control measures: These measures regulate who or what can view or use resources during a Zoom meeting.
- End-to-End Encryption: End-to-End encryption is necessary to ensure only the sender and recipient of an electronic message can read the content of that message. Specifically, Zoom had represented that “As long as you make sure everyone in a Zoom meeting connects using “computer audio” instead of calling in on a phone, the meeting is secured with end-to-end encryption.”
That representation about end-to-end encryption turned out to be…. not entirely accurate. For a video meeting to have genuine end-to-end encryption, as that term is understood by cybersecurity professionals, the video and audio content would need to be encrypted in such a way that only the participants in the meeting have the ability to decrypt it. In other words, the platform (Zoom) cannot be able to decrypt it. Instead, while the platform might have access to encrypted meeting content, the platform would not have the encryption keys to decrypt that content. No encryption keys mean Zoom cannot listen in on a private meeting.
Instead, what Zoom offers, it turns out, is called transport encryption – something that looks like end-to-end encryption and smells like end-to-end encryption, but is in reality neither.
With transport encryption, the platform or service itself is able to access the unencrypted video and audio content of a telehealth meeting. While the meeting takes place, a private party cannot spy on the meeting, but Zoom can, since it has access to the content. Having access to content allows Zoom to mine or sell user data.
According to an investigative report by theintercept.com, the only feature of Zoom that does appear to be end-to-end encrypted is in-meeting text chat. “Zoom E2E chat encryption allows for a secured communication where only the intended recipient can read the secured message,” a Zoom whitepaper states. “Zoom uses public and private keys to encrypt the chat session with Advanced Encryption Standard (AES-256). Session keys are generated with a device-unique hardware ID to avoid data being read from other devices.” A Zoom spokesperson wrote, “When end-to-end encryption for chat is enabled, the keys are stored on the local devices and Zoom does not have access to the keys to decrypt the data.”
Can I Still Use Zoom for Video Meetings?
In the Notice of Enforcement Discretion, HHS drew a line between non-public-facing platforms and public-facing platforms. In its Notice of Enforcement Discretion, HHS noted that penalties would not be imposed for good-faith use of non-public-facing applications. HHS specifically listed Zoom as an example of a non-public-facing application. The Notice stated that the enforcement discretion would not apply to use of public-facing platforms, however. The Notice stated, “Facebook Live, Twitch, TikTok, and similar video communication applications are public facing, and should not be used in the provision of telehealth by covered health care providers”.
Since HHS has stated that reliance on the Notice of Enforcement Discretion constitutes “acting in good faith,” and since the Notice has not been updated to reflect the recent developments about Zoom, use of Zoom video meetings remains permitted, for now, under the Notice. However, healthcare providers should exercise caution when using Zoom for video meetings.