Zoom Healthcare is a leading provider of remote video and web conferencing services, catering to both businesses and individuals. With Zoom’s innovative platform, companies can seamlessly connect their employees across different locations for online meetings, facilitating effective communication and information sharing. Notably, many healthcare providers have embraced the convenience of Zoom’s services. These providers utilize Zoom for telehealth purposes, enabling them to communicate with fellow providers as well as patients. However, it is essential for healthcare providers utilizing Zoom to ensure its compliance with HIPAA regulations. To meet these requirements, providers must implement a series of measures that align with the HIPAA rules. In this article, we delve into the topic of “Is Zoom HIPAA compliant?” and explore the latest updates regarding HIPAA regulations in 2020. Stay informed by reading further.
*Update: as of late there is a lot of debate about the security of using Zoom. For more information on which aspects of Zoom are secure, please click here*
Is Zoom HIPAA Compliant? The HIPAA Privacy Rule
Zoom provides remote conferencing services that combine video conferencing, online meetings, chat, and mobile collaboration.When using Zoom, healthcare providers share protected health information (PHI). Zoom, since it performs functions that involve the use or disclosure of a covered entity’s protected health information (PHI), is regarded as a business associate of that covered entity.
The satisfactory assurances that must be obtained, are set forth in a business associate agreement, which is a contract between a provider and a business associate – in this case, Zoom. The contract must describe the permitted and required uses of protected health information by the business associate; provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract.
To meet the requirements of the Security Rule, a video conferencing application such as Zoom must offer certain administrative, technical, and physical safeguards, to ensure the confidentiality, integrity, and availability of ePHI.
The answer to the question of “Is Zoom HIPAA compliant” is “yes,” because Zoom meets the following required Security Rule measures:
Zoom contains authentication measures. Authentication consists of implementing procedures to verify that a person or entity seeking access to electronic protected health information is the person he or she claims to be. Zoom, on its website, indicates that it provides two common types of authentication:
OAuth 2.0, for authenticating a user context; and
JSON Web Tokens (JWT) for authenticating server-to-server apps. Zoom states on its website that JWT authentication is best used for transmitting data to and from Zoom between trusted services or servers.
Zoom contains access control measures. The Security Rule requires access controls. Access controls regulate who or what can view or use resources in a computing environment. Access controls are necessary so that only those with a legitimate need to access ePHI are given access to that ePHI.
Zoom uses end-to-end encryption to secure all communications. End-to-end encryption is necessary to ensure only the sender and recipient of an electronic message can read the content of that message. The setting “Require Encryption for 3rd Party Endpoints (H323/SIP)” is enabled for all members of an account, upon sign in.
Is Zoom HIPAA Compliant? Other Security Features
Upon signing a BAA with Zoom, the following security measures are enacted on a Zoom account:
Cloud Recording will be disabled.
Encrypted chat will be enabled.
The setting “Require Encryption for 3rd Party Endpoints (H323/SIP)” will be enabled for all members of an account.
Text messages will be encrypted.
Offline messages will only be available after all parties initiate a cryptographic key exchange.
For more information on HIPAA compliant teleconferencing tools please click here.
Complete Compliance Solution
Make sure your business and the tools you use to run it are compliant.