Let Us Guide You Through Your InfoSec & Compliance Journey.
Learn how to use the Compyl Platform.
Watch all Security Session Episodes
Real-world stories on how we help our customers.
Patients and physicians have started to notice the benefits of telehealth: comfort, time savings, and improved follow-up care. Telemedicine is growing by over 10% annually, on track to nearly double from $94 billion in 2024 to $180 billion in 2030. Video conferencing platforms like Zoom and Google Meet can be an excellent investment for hospitals and HMOs, but HIPAA requirements apply. This guide explains what features your organization needs to use for Zoom to be HIPAA compliant.
Zoom can be HIPAA compliant, but your organization must choose the right enterprise plan, configure Zoom for HIPAA, and follow privacy and cybersecurity best practices for telehealth. When configured correctly, Zoom enables healthcare organizations to follow the HIPAA Security Rule, Privacy Rule, and other requirements, keeping Protected Health Information safe and secure.
However, achieving HIPAA compliance isn’t just about platform cybersecurity. To meet HIPAA privacy and security regulations, your employees have to take precautions to avoid accidental or unauthorized disclosures of PHI. In other words, HIPAA compliance for Zoom is 50% technology and 50% how you use it.
With the rise of ransomware attacks, data breaches, and other cyber threats to the healthcare industry, it’s understandable to want to dig deeper into Zoom’s reputation for data security. Zoom has excellent credentials on this front:
Robust cybersecurity is a key part of HIPAA compliance. These certifications show that the design and features of Zoom’s platform meet the highest cybersecurity standards possible.
Zoom launched in 2011, gradually increasing its features and services. During the COVID-19 pandemic, the platform’s users and quarterly revenues surged by over 550%, from just $30 million in 2017 to more than $165 million in 2019. By July of 2021, Zoom had crossed the $1 billion threshold.
HIPAA regulations have been around for more than two decades. In 2017, Zoom launched a version of its product designed with HIPAA compliance in mind. The platform’s current iterations are called Zoom Workplace for Healthcare and Zoom Workplace for Clinicians.
As of 2024, more than 190,000 enterprise businesses were Zoom clients. According to the platform’s statistics, more than 75% of major U.S. health systems and hospitals use Zoom.
The HIPAA Security Rule requires healthcare organizations to protect the integrity of PHI, keep it secure, and prevent unauthorized access. This requirement also applies to telehealth platforms like Zoom and Microsoft Teams.
The HIPAA Privacy Rule stipulates that medical providers have to limit the disclosure of patient data to the minimum necessary for treatment and patient services. You also have to make medical records available to patients.
Zoom’s healthcare-focused platform complies with HIPAA security requirements for administrative, technical, and physical safeguards:
Not all of these controls are available with the free version of Zoom. This means even smaller clinics need at least a Pro subscription (per user) for Zoom to be HIPAA compliant.
Zoom has extensive access control features at the administrative, platform, and clinician levels. You can create IDs and passwords for individual doctors to access Zoom Meetings, Zoom Phone, Zoom Scheduler, Mail, and other services. Physicians can lock meetings once the patient has connected, preventing outside parties from joining.
Zoom’s E2E encryption uses AES-256-bit encryption to safeguard video, audio, files, and other data shared over the platform. This is the same level of encryption the U.S. government uses for sensitive data.
All HIPAA covered entities must have a Business Associate Agreement with third-party providers (e.g., Zoom, Microsoft, Epic) that process PHI. Zoom has a standard BAA that it provides to healthcare companies, but it doesn’t accept custom BAAs.
To maintain HIPAA compliance, many healthcare organizations use an EHR platform to organize and store patient records, such as Epic, Phreesia, NextPatient, and Nimbo. Zoom can integrate with these platforms to store copies of telehealth sessions or share test results securely during a telehealth visit. These features are necessary to comply with HIPAA requirements for making records available to patients.
Many doctors and specialists use Zoom for telemedicine, including patient visits and consultations with colleagues. That said, to avoid HIPAA violations, health professionals and healthcare organizations must be careful how they configure Zoom for HIPAA telehealth guidelines:
One common HIPAA violation for telehealth is when patients share or record video of the session. Make sure screen sharing is disabled on Zoom (except for the doctor/session administrator), and place a secure copy of the appointment in the patient’s records instead.
Even though Zoom has cutting-edge tools for cybersecurity and telemedicine, it’s not HIPAA-compliant out of the box. Your organization must have the proper policies in place, understand how to configure Zoom controls, and train staff in proper telehealth practices. That’s where a comprehensive compliance platform like Compyl comes in. See why healthcare organizations around the world use Compyl for HIPAA compliance every day.
