Is Zoom HIPAA Compliant?

May 09, 2025

Patients and physicians have started to notice the benefits of telehealth: comfort, time savings, and improved follow-up care. Telemedicine is growing by over 10% annually, on track to nearly double from $94 billion in 2024 to $180 billion in 2030. Video conferencing platforms like Zoom and Google Meet can be an excellent investment for hospitals and HMOs, but HIPAA requirements apply. This guide explains what features your organization needs to use for Zoom to be HIPAA compliant.

Is Zoom a HIPAA-Compliant Platform?

Is zoom HIPAA compliant?

Zoom can be HIPAA compliant, but your organization must choose the right enterprise plan, configure Zoom for HIPAA, and follow privacy and cybersecurity best practices for telehealth. When configured correctly, Zoom enables healthcare organizations to follow the HIPAA Security Rule, Privacy Rule, and other requirements, keeping Protected Health Information safe and secure.

However, achieving HIPAA compliance isn’t just about platform cybersecurity. To meet HIPAA privacy and security regulations, your employees have to take precautions to avoid accidental or unauthorized disclosures of PHI. In other words, HIPAA compliance for Zoom is 50% technology and 50% how you use it.

Cybersecurity Compliance

With the rise of ransomware attacks, data breaches, and other cyber threats to the healthcare industry, it’s understandable to want to dig deeper into Zoom’s reputation for data security. Zoom has excellent credentials on this front:

  • HITRUST certification: Leading cybersecurity frameworks for healthcare and HIPAA compliance in the United States
  • ISO 27001 and ISO 27018: Globally recognized and exceptionally strict standards for data security
  • SOC 2 Type 2 attestation: Annual assessments to show ongoing IT and data security compliance
  • PCI DSS compliance: Security standards for the payment card industry 

Robust cybersecurity is a key part of HIPAA compliance. These certifications show that the design and features of Zoom’s platform meet the highest cybersecurity standards possible.

The History of Zoom and Telemedicine

Zoom launched in 2011, gradually increasing its features and services. During the COVID-19 pandemic, the platform’s users and quarterly revenues surged by over 550%, from just $30 million in 2017 to more than $165 million in 2019. By July of 2021, Zoom had crossed the $1 billion threshold.

HIPAA regulations have been around for more than two decades. In 2017, Zoom launched a version of its product designed with HIPAA compliance in mind. The platform’s current iterations are called Zoom Workplace for Healthcare and Zoom Workplace for Clinicians.

As of 2024, more than 190,000 enterprise businesses were Zoom clients. According to the platform’s statistics, more than 75% of major U.S. health systems and hospitals use Zoom.

What Are HIPAA Requirements for Zoom?

What are HIPAA regulations as they relate to Zoom?

The HIPAA Security Rule requires healthcare organizations to protect the integrity of PHI, keep it secure, and prevent unauthorized access. This requirement also applies to telehealth platforms like Zoom and Microsoft Teams.

The HIPAA Privacy Rule stipulates that medical providers have to limit the disclosure of patient data to the minimum necessary for treatment and patient services. You also have to make medical records available to patients.

Administrative, Technical, and Physical Safeguards

Zoom’s healthcare-focused platform complies with HIPAA security requirements for administrative, technical, and physical safeguards:

  • Administrative safeguards: Configuration tools, admin settings, and logs
  • Technical safeguards: End-to-end encryption, transmission layer security, Zoom Phone text messaging systems, and integrations with electronic health record systems
  • Physical safeguards: User passwords, password-protected video chat sessions, multifactor authentication, and other platform controls

Not all of these controls are available with the free version of Zoom. This means even smaller clinics need at least a Pro subscription (per user) for Zoom to be HIPAA compliant.

Access Control for HIPAA Compliance

Zoom has extensive access control features at the administrative, platform, and clinician levels. You can create IDs and passwords for individual doctors to access Zoom Meetings, Zoom Phone, Zoom Scheduler, Mail, and other services. Physicians can lock meetings once the patient has connected, preventing outside parties from joining.

Encryption

Zoom’s E2E encryption uses AES-256-bit encryption to safeguard video, audio, files, and other data shared over the platform. This is the same level of encryption the U.S. government uses for sensitive data.

Business Associate Agreement

All HIPAA covered entities must have a Business Associate Agreement with third-party providers (e.g., Zoom, Microsoft, Epic) that process PHI. Zoom has a standard BAA that it provides to healthcare companies, but it doesn’t accept custom BAAs. 

Tools for Patient Privacy and Access to Records

To maintain HIPAA compliance, many healthcare organizations use an EHR platform to organize and store patient records, such as Epic, Phreesia, NextPatient, and Nimbo. Zoom can integrate with these platforms to store copies of telehealth sessions or share test results securely during a telehealth visit. These features are necessary to comply with HIPAA requirements for making records available to patients.

Is Zoom Appropriate for Telehealth?

How can Zoom become HIPAA compliant?

Many doctors and specialists use Zoom for telemedicine, including patient visits and consultations with colleagues. That said, to avoid HIPAA violations, health professionals and healthcare organizations must be careful how they configure Zoom for HIPAA telehealth guidelines:

  • Secure configuration: Platform settings must prevent outside users from joining. Each physician should have a unique user account and password.
  • Private sessions: Telehealth appointments must be locked to everyone except the doctor and the patient.
  • Waiting room: Zoom’s waiting room feature allows doctors to confirm the patient’s identity and ensure the person is alone (or obtain consent) before starting the appointment.
  • HIPAA-compliant links: Patients don’t need to install Zoom on their devices. By opening Zoom from a HIPAA-compliant link sent by the doctor, participants access a secure environment.

One common HIPAA violation for telehealth is when patients share or record video of the session. Make sure screen sharing is disabled on Zoom (except for the doctor/session administrator), and place a secure copy of the appointment in the patient’s records instead.

Is Zoom HIPAA-Compliant in Your Organization?

Even though Zoom has cutting-edge tools for cybersecurity and telemedicine, it’s not HIPAA-compliant out of the box. Your organization must have the proper policies in place, understand how to configure Zoom controls, and train staff in proper telehealth practices. That’s where a comprehensive compliance platform like Compyl comes in. See why healthcare organizations around the world use Compyl for HIPAA compliance every day.

By clicking “Accept”, you agree to the use of cookies on your device in accordance with our Privacy and Cookie policies