Is Zoom HIPAA-Compliant?

March 30th, 2020

Zoom is an extremely popular video-conferencing platform. Many healthcare organizations may be wondering: Is Zoom HIPAA-compliant?

While it is true that HIPAA compliance requirements around telehealth were relaxed (which includes video teleconferencing) for the duration of the Covid-19 pandemic, the pandemic will eventually end. Companies that have invested time and money in accelerating their telehealth infrastructure would prefer not to have to change everything because they chose a non-compliant solution. Now compliance is “back on the table.” 

If your healthcare organization processes ePHI and uses video-conferencing and calls to enable people to work from home, it must know whether Zoom is HIPAA-compliant.

What Is Zoom Video Communications?

Zoom Video Communications is a company that offers a range of different services, mainly associated with video calls, video-conferencing, and other types of online collaboration. It has become quite popular over the past few years, particularly for business use, so it may be appealing for healthcare organizations to adopt.

Do Video Call Solutions Like Zoom Need to Be HIPAA-Compliant?

Any covered entity that processes electronic protected health information (ePHI) on behalf of others needs to be aware of the HIPAA regulations and deal with the data appropriately.

HIPAA regulations apply when data is collected, stored, and transmitted by email or other technologies. This includes video calls and conferences. Perhaps this is easy to overlook because many organizations don’t store the video data from calls – but that doesn’t mean the information can’t be intercepted by attackers or accidentally leaked, both of which can have significant repercussions for victims.

If a video calling platform is not HIPAA-compliant and is poorly secured, attackers can insert themselves and either access or record calls. Cybercriminals can then use this information in various crimes, ranging from extortion to identity theft.

Organizations that violate HIPAA can meet severe penalties, including up to $50,000 for each civil violation or up to $250,000 and 10 years imprisonment for each criminal violation.

Is Zoom HIPAA-Compliant for Video Calls & Teleconferences?

The short answer is not necessarily, but Zoom HIPAA compliance is possible. The first thing that you need to know is that the standard offerings of Zoom are not HIPAA-compliant

Why aren’t these types of Zoom HIPAA-compliant? The simple answer is that they were designed for other purposes, which means that healthcare organizations should never use Zoom for any calls that could involve ePHI.

If organizations are set on using Zoom, there is a HIPAA-compliant option – Zoom for Healthcare. However, there are strings attached. Users need to pay for licenses instead of using the free version of Zoom. In addition, organizations must sign a business associates agreement (BAA) with Zoom. This is a contract that stipulates the conditions and where responsibility lies.

If your organization does choose Zoom, it needs to make sure that it only uses its service within the confines of the BAA.

What Else Should I Know?

Choosing Zoom for Healthcare is a perfectly acceptable option for HIPAA compliance. However, one item that is often overlooked is email notifications. How are patients receiving links to video conferences? HIPAA compliance is needed for appointment reminders, and telehealth appointments are no exception. LuxSci’s Secure High Volume Email is an excellent option for sending HIPAA-compliant emails via SMTP or API. Contact us to learn more.