Zoom provides remote video and web conferencing services for businesses and individuals. Zoom allows employees from different locations to participate in online meetings, in which employees can communicate and share information. Many healthcare providers use Zoom. Providers use Zoom to perform telehealth services, including communicating with other providers, and communicating with patients. Providers using Zoom for healthcare must make Zoom HIPAA compliant. This means that providers must take a series of measures that will allow use of Zoom to comply with the HIPAA rules. The subject of “Is Zoom HIPAA compliant?” is discussed below. Find out more about new HIPAA regulations for 2020.
*Update: as of late there is a lot of debate about the security of using Zoom. For more information on which aspects of Zoom are secure, please click here*
Is Zoom HIPAA Compliant? The HIPAA Privacy Rule
Zoom provides remote conferencing services that combine video conferencing, online meetings, chat, and mobile collaboration. When using Zoom, healthcare providers share protected health information (PHI). Zoom, since it performs functions that involve the use or disclosure of a covered entity’s protected health information (PHI), is regarded as a business associate of that covered entity.
Is your organization secure? Download the free cybersecurity eBook to get tips on how to protect your patient information.
Under the HIPAA Privacy Rule, a healthcare provider must obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. How does this relate to HIPAA? Protected health information includes electronic protected health information (ePHI), which consists of any protected health information (PHI) that is created, stored, transmitted, or received in any electronic format or medium, such as HIPAA compliant phone calls.
The satisfactory assurances that must be obtained, are set forth in a business associate agreement, which is a contract between a provider and a business associate – in this case, Zoom. The contract must describe the permitted and required uses of protected health information by the business associate; provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract.
Zoom has stated that it is prepared to sign a business associate agreement with healthcare organizations. Zoom also has taken steps to ensure its platform incorporates all of the necessary security controls to satisfy the HIPAA Security Rule.
Is Zoom HIPAA Compliant? The HIPAA Security Rule
To meet the requirements of the Security Rule, a video conferencing application such as Zoom must offer certain administrative, technical, and physical safeguards, to ensure the confidentiality, integrity, and availability of ePHI.
The answer to the question of “Is Zoom HIPAA compliant” is “yes,” because Zoom meets the following required Security Rule measures:
- Zoom contains authentication measures. Authentication consists of implementing procedures to verify that a person or entity seeking access to electronic protected health information is the person he or she claims to be. Zoom, on its website, indicates that it provides two common types of authentication:
- OAuth 2.0, for authenticating a user context; and
- JSON Web Tokens (JWT) for authenticating server-to-server apps. Zoom states on its website that JWT authentication is best used for transmitting data to and from Zoom between trusted services or servers.
- Zoom contains access control measures. The Security Rule requires access controls. Access controls regulate who or what can view or use resources in a computing environment. Access controls are necessary so that only those with a legitimate need to access ePHI are given access to that ePHI.
- Zoom uses end-to-end encryption to secure all communications. End-to-end encryption is necessary to ensure only the sender and recipient of an electronic message can read the content of that message. The setting “Require Encryption for 3rd Party Endpoints (H323/SIP)” is enabled for all members of an account, upon sign in.
Is Zoom HIPAA Compliant? Other Security Features
Upon signing a BAA with Zoom, the following security measures are enacted on a Zoom account:
- Cloud Recording will be disabled.
- Encrypted chat will be enabled.
- The setting “Require Encryption for 3rd Party Endpoints (H323/SIP)” will be enabled for all members of an account.
- Text messages will be encrypted.
- Offline messages will only be available after all parties initiate a cryptographic key exchange.