Can I Use Zoom for HIPAA? Plans, BAA, and Secure Setup Explained

Yes—if you choose the right plan, sign a Business Associate Agreement, and configure security correctly, you can use Zoom with Protected Health Information. This guide explains which plans qualify, how the BAA works, what features are in scope, and the security settings and training you need to stay compliant.

Zoom Plans Supporting HIPAA Compliance

Zoom can support HIPAA compliance when you use a plan designed for healthcare or an eligible enterprise offering that includes a Business Associate Agreement. Basic (free) and most individual Pro accounts generally are not eligible for a BAA and should not be used with PHI.

Plans typically used for HIPAA

• Zoom for Healthcare: Built for telehealth workflows and BAA eligibility.
• Eligible Enterprise plans: Available to larger organizations that can execute a BAA and apply Role-Based Access Controls across users.

What to verify before purchase

• Written confirmation that your specific plan and account are eligible for a Business Associate Agreement.
• Whether needed features (for example, Secure Messaging via Zoom Team Chat or HIPAA-Compliant Cloud Storage for recordings) are covered under your BAA.
• Administrative controls for encryption, data retention, and audit logging at the account level.

Business Associate Agreement Requirements

A Business Associate Agreement is mandatory whenever Zoom, as a business associate, creates, receives, maintains, or transmits Protected Health Information on your behalf. Without a signed BAA, you must not share PHI over Zoom.

Key elements your BAA should address

• Scope: The exact Zoom services and features that are in scope. Only listed services are covered.
• Safeguards: Administrative, physical, and technical measures including encryption, access controls, and breach notification obligations.
• Use and disclosure: Limitations on how Zoom may process PHI and requirements for subcontractors.
• Retention and return: How PHI is retained, returned, or destroyed at contract end.

Your responsibilities remain

The BAA does not replace your internal compliance program. You still must configure settings correctly, restrict workforce access, train users, monitor activity, and maintain policies for acceptable use, incident response, and patient rights.

Eligible Zoom Features Under BAA

Your BAA defines what is covered. Generally, core collaboration features are eligible when explicitly included; features not listed are out of scope. Treat anything uncertain as non-compliant until confirmed in writing.

Features commonly in scope (confirm in your BAA)

• Zoom Meetings (video, audio, screensharing, in-meeting chat) with AES-256 GCM Encryption enforced.
• Secure Messaging via Zoom Team Chat with retention controls and export/audit as needed.
• Cloud services that are expressly included, such as HIPAA-Compliant Cloud Storage for recordings when enabled and protected.
• Admin and security capabilities (RBAC, 2FA/SSO, audit logs, policy enforcement).

Features often out of scope or restricted

• PSTN telephony (dial-in/out), SMS, or fax features unless explicitly included.
• Live streaming to third-party platforms and social media.
• Third-party Marketplace apps that are not covered by your BAA or a separate agreement.
• Certain AI features (for example, autogenerated summaries or transcription) if not covered by your BAA and data-processing terms.

When a feature is out of scope, do not use it with PHI. Disable it at the account level to prevent accidental exposure.

Encryption and Security Standards

Zoom protects media streams with AES-256 GCM Encryption and secures signaling with modern TLS. Data at rest is encrypted, and administrators can limit access to PHI using Role-Based Access Controls and strong authentication.

End-To-End Encryption (E2EE)

E2EE adds an extra layer by allowing meeting participants to hold encryption keys on their devices. It increases privacy but can disable or limit certain features (such as cloud recording and PSTN). Use E2EE for sessions that include highly sensitive PHI when workflow impacts are acceptable.

Access and accountability

• Require SSO or 2FA for all workforce accounts.
• Limit hosting and recording privileges to trained users with job-related need.
• Enable logging and periodic audits of meeting, chat, and admin actions.

Plan Requirements for BAA

To obtain a BAA, you generally need an eligible paid plan, an account owner with authority to sign, and agreement on the covered services. Minimum seat counts or specific SKUs may apply depending on your contract.

Storage, retention, and HIPAA-Compliant Cloud Storage

• Define retention schedules for recordings and chats; purge automatically when no longer needed.
• Restrict who can create, view, download, or share recordings that contain PHI.
• If you enable cloud recording, ensure it is stored only in HIPAA-Compliant Cloud Storage with encryption and access controls enforced.

Contracting steps

• Confirm plan eligibility and the exact features you need covered.
• Execute the BAA and attach it to your master service agreement or order form.
• Validate settings against the BAA before onboarding clinicians or patients.

Configuration and Staff Training Responsibilities

HIPAA compliance depends on configuration discipline and workforce readiness. Lock down risky features and teach staff how to handle PHI safely.

Account-level secure defaults

• Require passcodes and Waiting Room; disable Join Before Host.
• Enforce AES-256 GCM Encryption; enable E2EE for high-risk use cases.
• Disable features out of scope (cloud recording, streaming, file transfer, or whiteboards) unless covered and controlled.
• Turn on RBAC, SSO/2FA, and audit logging; restrict app installs to approved tools.

Meeting-level practices

• Use unique meeting IDs; avoid personal meeting IDs for patient sessions.
• Limit screensharing to the host; avoid displaying unrelated PHI.
• Do not place PHI in meeting titles, invitations, or waiting room messages.

Device and environment hygiene

• Use managed devices with disk encryption and automatic updates.
• Require headsets or private spaces to prevent eavesdropping.
• Log out of shared workstations and clear local caches after sessions.

Training essentials

• Teach staff what counts as Protected Health Information and where PHI is allowed.
• Provide quick-reference guides for recording, chat, and file-sharing rules.
• Run drills for misdirected invites, meeting bombers, and disclosure response.

Third-Party Integrations and Compliance Risks

Integrations can streamline telehealth but also expand your risk surface. Treat every app, bot, and connector as a potential PHI processor that must be vetted and governed.

Marketplace apps and EHR connectors

• Allow only approved apps; require security reviews and, where applicable, a BAA with the vendor.
• Prefer EHR-native workflows that keep PHI within your EHR and only expose minimum necessary data to Zoom.

AI features and data sharing

• Disable AI features unless they are expressly covered by contract and needed for care delivery.
• Document what data is processed, where it is stored, and how it is deleted.

Monitoring and incident response

• Enable alerts for unusual access or mass downloads of recordings.
• Keep runbooks for containment, patient notification, and reporting obligations.

Conclusion

You can use Zoom for HIPAA when you pair an eligible plan with a signed BAA, enforce AES-256 GCM Encryption, and lock down features via Role-Based Access Controls. Combine secure configuration with clear policies, HIPAA-Compliant Cloud Storage where required, and steady training so every session protects patient privacy.

FAQs

What Zoom plans support HIPAA compliance?

Zoom for Healthcare and certain enterprise offerings can support HIPAA when paired with a signed BAA and proper configuration. Basic and most individual Pro plans typically are not eligible and should not be used with PHI.

Is a Business Associate Agreement required for HIPAA use?

Yes. If Zoom will create, receive, maintain, or transmit Protected Health Information on your behalf, a Business Associate Agreement is required. Without a BAA, do not use Zoom to handle PHI.

Which Zoom features are covered under the BAA?

Coverage is limited to the services explicitly listed in your BAA. Core features like Zoom Meetings and Secure Messaging (Zoom Team Chat) may be included, along with administrative tools and, if specified, HIPAA-Compliant Cloud Storage for recordings. Features not listed—such as certain AI tools, PSTN telephony, or third-party apps—are out of scope.

How should organizations configure Zoom for HIPAA compliance?

Start with an eligible plan and executed BAA, then enforce strong defaults: require passcodes and Waiting Room, enable AES-256 GCM Encryption and consider End-To-End Encryption for sensitive sessions, apply Role-Based Access Controls, restrict or disable non-covered features, manage retention for recordings and chats, and train staff on PHI handling and incident response.