In the midst of the coronavirus crisis and with many working from home, many businesses may be wondering: Is Zoom HIPAA-compliant?
While it is true that President Trump has relaxed HIPAA-compliance requirements around telehealth (which includes video teleconferencing) for the duration of the Covid-19 pandemic, the pandemic will eventually end and companies who have invested time and money accelerating their telehealth infrastructure would prefer to not have to change everything because they chose a non-compliant solution and now compliance is “back on the table.” We’re all slightly on edge and out of rhythm at the moment, but HIPAA regulations and the immense costs of data breaches for telehealth will be back.
The situation is serious, and we need to act quickly to put ourselves in the best position to ride this out. But we also need to be careful with our decision-making and ensure that these changes don’t have any disastrous effects.
If your company is involved in processing ePHI and intends to use video-conferencing and calls to allow people to work from home, it needs to know whether Zoom is HIPAA-compliant.
What Is Zoom Video Communications?
Zoom Video Communications is a company behind a range of different services, mainly associated with video calls, video-conferencing and other types of online collaboration. It has become quite popular over the past few years, particularly for business use, so it may be the first platform organizations turn to now that many employees are working from home.
Do Video Call Solutions Like Zoom Need to Be HIPAA-Compliant?
If your organization is involved in healthcare or it processes electronic protected health information (ePHI) on behalf of others, then it needs to be cognizant of the HIPAA regulations and always deal with the data appropriately.
This applies when data is collected, stored, and transmitted, whether by email or any other type of technology. This includes video calls and conferences. Perhaps this is easy to overlook, because many of us don’t personally store the video data from our calls – but that doesn’t mean the information can’t be intercepted by attackers or accidentally leaked, both of which can have significant repercussions for victims.
If a video calling platform is not HIPAA-compliant and is poorly secured, it’s possible for attackers to insert themselves and either access or record calls. This information can then be used in a range of crimes, ranging from extortion to identity theft.
Organizations that are found to violate HIPAA can be met with severe penalties, including up to $50,000 for each civil violation, or up to $250,000 and 10 years imprisonment for each criminal violation.
Is Zoom HIPAA-Compliant for Video Calls & Teleconferences?
The short answer is not necessarily, but Zoom HIPAA compliance is possible. The first thing that you need to know is that the standard offerings of Zoom are not HIPAA-compliant.
Why aren’t these types of Zoom HIPAA-compliant? The simple answer is that they were designed for other purposes, which means that they should never be used for any calls that could involve ePHI.
If you’re a diehard Zoom fan, then you’re not completely out of luck, because one of its offerings – Zoom for Healthcare – is HIPAA-compliant. However, there are strings attached. As with any service that your organization shares its ePHI with, a business associates agreement (BAA) needs to be signed with the company. This is a contract that stipulates the conditions and where responsibility lies.
If your organization does choose Zoom, it needs to make sure that it only uses its service within the confines of the BAA.
Are There Other Platforms Apart from Zoom for HIPAA-Compliant Video Calls?
Zoom for Healthcare may not fit every organization’s work flows and HIPAA compliance needs, but thankfully there are alternatives.
LuxSci Secure Video is one option. Secure Video is built on top of Zoom for Healthcare (so it uses all the same applications and distributed infrastructure that everyone is used to) and has scheduling, work flows, payment processing, and other features that make it especially useful for sessions with patents and for group meetings where sensitive information will be discussed.