Voted Best Sexual Harassment Training Solution in 2021 by The Balance SMB

Is Zoom HIPAA Compliant? Here’s Everything You Need To Know

In 2020, Zoom exploded in popularity so much that its brand became the standard phrase for video conferencing. “Let's have a Zoom session,” has become as common as, "Just Google it." 

For this reason, many healthcare providers now use Zoom to get in touch with their clients and patients. But is Zoom HIPAA compliant? 

To answer this question: yes, the web conferencing platform complies with HIPAA rules and regulations. This blog post will look at how Zoom remains compliant with the HIPAA Privacy Rule, and the measures it has taken to ensure private health information is secure.

Note: If you want to make sure you are compliant with all of the rules, check out EasyLlama's training for HIPAA compliance. Our bite-sized videos will make sure your workplace is protected from violations and costly fines. Get in touch with us today for a free trial.

HIPAA Compliance Explained

HIPAA stands for the Health Insurance Portability and Accountability Act; it helps provide data privacy and security provisions for safeguarding medical information. Its rules apply to health plans, health care clearinghouses, and those health care providers that conduct certain financial and administrative transactions electronically.

HIPAA Privacy Rule requires doctors, hospitals, and other health care providers to tell patients how they use and disclose their health information, gives patients the right to examine and obtain a copy of their health records, and sets limits on who can access patient information.

The goal of HIPAA is to protect patients' medical records and other identifiable health information, even if it is held by a private company, such as an electronic health records provider.

That said, to fully understand how Zoom is HIPAA compliant, you’ll need to get acquainted with these terms: 

  • PHI and ePHI
  • Business associate 
  • Business associate agreement 

PHI and ePHI

HIPAA Rules protect patient privacy by prohibiting the sharing of 'protected health information' (PHI). PHI stands for Protected Health Information. Under HIPAA, any identifiable health information that is used, kept, stored, or transmitted is referred to as "PHI."

This includes date of birth, payment information, social security number, spoken information, electronic records, and physical documents. Essentially, any information that can be used to identify who a patient is falls under PHI.

On the other hand, ePHI stands for Electronic Protected Health Information. Any data that is electronic in nature and that:

  • identifies an individual; or 
  • has been created, modified, maintained, or transmitted by using electronic media
 is considered ePHI under HIPAA.

The use of computer technology means that PHI is now shared and accessible electronically, instead of on paper. This electronic nature is what constitutes ePHI under HIPAA rules and regulations.

Business Associate

Under HIPAA, a business associate is any person or entity that provides services to a covered entity that involve the use or disclosure of PHI.

If you work for a healthcare provider, then you would be considered a business associate under HIPAA. Any third-party contractor who handles PHI for this type of business would also be considered a HIPAA business associate.

This is why Zoom falls under the ‘business associate’ category, as medical professionals are likely sharing PHI through the platform. Zoom is, therefore, the partner of a covered entity in such situations. Covered entities include healthcare providers, payers, clearinghouses, and their business associates. 

Business Associate Agreement 

A business associate agreement is a contract that HIPAA covered entities must have with their business associates. This contract spells out the activities that the business associate will be undertaking, how it will protect patient privacy, and what security measures it will take.

To subscribe to Zoom for Healthcare -- which we’ll talk about below -- you’ll have to sign a business associate agreement, which means that Zoom complies with HIPAA regulations. 

Now that you understand the HIPAA terms that you’ll likely come across, here are the HIPAA regulations for video:

  • Confidentiality, integrity, and availability must all be maintained for electronic PHI generated, received, or transmitted by a covered entity
  • Any reasonably anticipated risks or hazards to information security or integrity must be avoided
  • Prevent any non-permitted or unauthorized uses or disclosures of such information that are not authorized under the privacy regulations
So, does Zoom comply with these HIPAA rules and regulations for video? 

How Is Zoom HIPAA Compliant? Breaking Down the Requirements

The following are measures Zoom has taken to avoid HIPAA violations and remain compliant with the rules: 

  • Zoom uses authentication procedures to guarantee that each user on the platform is who they claim to be, ensuring that ePHI is secure.
  • Zoom employs two kinds of authentication: OAuth 2.0 and JSON Web Tokens. User content is handled using OAuth, while server-to-server communication is handled by web tokens
  • To guarantee that no one intercepts the data shared when health professionals are on video call, Zoom uses end-to-end encryption
  • Access measure controls, which are a requirement under the HIPAA Security Rule, are used by Zoom to limit who can access data that has been shared. This is significant because only authorized people who need to see the information may view it.

Zoom for Healthcare

Zoom for Healthcare is a web-based virtual care video conferencing solution that allows patients to connect with their healthcare provider, via their mobile device, tablet, or personal computer, at home, or wherever they choose.

Zoom for Healthcare is the only HIPAA-compliant conference call solution on the market that allows many participants in a HIPAA-compliant environment, making it an appealing choice for organizations with collaborative processes, require regular training of their employees, or need to communicate with patients' family members.

Zoom for Healthcare meets all of HIPAA's general security requirements. To top it off, the security behind the HIPAA compliant Zoom for Healthcare was designed with PHI in mind, ensuring that even though it transmits it, Zoom does not have access to it.