Zoom provides remote video and web conferencing services for businesses and individuals. Zoom allows employees from different locations to participate in online meetings, in which employees can communicate and share information. Many healthcare providers use Zoom. Providers use Zoom to perform telehealth services, including communicating with other providers, and communicating with patients. Providers using Zoom for healthcare must make Zoom HIPAA compliant. This means that providers must take a series of measures that will allow use of Zoom to comply with the HIPAA rules. The subject of “Is Zoom HIPAA compliant?” is discussed below. Find out more about new HIPAA regulations for 2020.
*Update: as of late there is a lot of debate about the security of using Zoom. For more information on which aspects of Zoom are secure, please click here*
Is Zoom HIPAA Compliant? The HIPAA Privacy Rule
Zoom provides remote conferencing services that combine video conferencing, online meetings, chat, and mobile collaboration.When using Zoom, healthcare providers share protected health information (PHI). Zoom, since it performs functions that involve the use or disclosure of a covered entity’s protected health information (PHI), is regarded as a business associate of that covered entity.
The satisfactory assurances that must be obtained, are set forth in a business associate agreement, which is a contract between a provider and a business associate – in this case, Zoom. The contract must describe the permitted and required uses of protected health information by the business associate; provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract.
To meet the requirements of the Security Rule, a video conferencing application such as Zoom must offer certain administrative, technical, and physical safeguards, to ensure the confidentiality, integrity, and availability of ePHI.
The answer to the question of “Is Zoom HIPAA compliant” is “yes,” because Zoom meets the following required Security Rule measures:
Zoom contains authentication measures. Authentication consists of implementing procedures to verify that a person or entity seeking access to electronic protected health information is the person he or she claims to be. Zoom, on its website, indicates that it provides two common types of authentication:
OAuth 2.0, for authenticating a user context; and
JSON Web Tokens (JWT) for authenticating server-to-server apps. Zoom states on its website that JWT authentication is best used for transmitting data to and from Zoom between trusted services or servers.
Zoom contains access control measures. The Security Rule requires access controls. Access controls regulate who or what can view or use resources in a computing environment. Access controls are necessary so that only those with a legitimate need to access ePHI are given access to that ePHI.
Zoom uses end-to-end encryption to secure all communications. End-to-end encryption is necessary to ensure only the sender and recipient of an electronic message can read the content of that message. The setting “Require Encryption for 3rd Party Endpoints (H323/SIP)” is enabled for all members of an account, upon sign in.
Is Zoom HIPAA Compliant? Other Security Features
Upon signing a BAA with Zoom, the following security measures are enacted on a Zoom account:
Cloud Recording will be disabled.
Encrypted chat will be enabled.
The setting “Require Encryption for 3rd Party Endpoints (H323/SIP)” will be enabled for all members of an account.
Text messages will be encrypted.
Offline messages will only be available after all parties initiate a cryptographic key exchange.
For more information on HIPAA compliant teleconferencing tools please click here.