HIPAA Compliance for Zoom and Video Calls: BAA, Required Settings, and Best Practices

Establish a Business Associate Agreement

Why a BAA matters

A Business Associate Agreement (BAA) is the foundation for using Zoom to handle Protected Health Information (PHI). It contractually binds your organization and the vendor to safeguard PHI, defines permitted uses and disclosures, and allocates responsibilities such as breach notification and subcontractor oversight.

How to execute and scope your BAA

• Obtain a signed BAA from Zoom before enabling any feature that may touch PHI (recording, chat, whiteboard, transcripts).
• Verify the BAA’s scope: covered services, data handling locations, encryption standards, access controls, subcontractors, and breach reporting timelines.
• Document the BAA, version, and effective dates; store with your HIPAA documentation for at least six years.

Operational controls to pair with your BAA

• Limit PHI use to the “minimum necessary.”
• Assign least‑privilege roles to hosts, co-hosts, and administrators.
• Require acknowledgments that all meeting owners follow approved HIPAA configurations.

Configure End-to-End Encryption

Enable and enforce E2EE

• In your Zoom admin settings, enable End-to-End Encryption (E2EE) and set it as the default for all new meetings that may involve PHI.
• Require all participants to join from supported Zoom clients; disable telephone dial-in and SIP/H.323 connectors for E2EE meetings.
• Have participants verify the meeting’s security code verbally to detect man‑in‑the‑middle risks.

Understand E2EE trade-offs

• E2EE typically disables or limits features like cloud recording, live streaming, live transcription, and breakout compatibility with legacy connectors.
• If a session cannot run with E2EE, apply compensating controls (e.g., local recording encryption, tighter access controls, and enhanced auditing).

Enforce Multi-Factor Authentication

MFA and identity best practices

• Mandate Multi-Factor Authentication (MFA) for all users—prefer phishing‑resistant methods (FIDO2 keys) or app‑based authenticators over SMS.
• Integrate Single Sign‑On (SSO) with your identity provider to centralize lifecycle management and enforce strong password and session policies.
• Block legacy authentication, set device trust requirements, and implement conditional access for high‑risk contexts (new country, unmanaged device).

Session hygiene

• Set short token lifetimes and idle timeouts for admin consoles.
• Require re‑authentication for sensitive actions like recording access or account ownership changes.

Limit Cloud Recording

Default stance and exceptions

• Disable cloud recording by default for meetings that may include PHI.
• Allow exceptions only when your BAA explicitly covers recordings and your storage, encryption, and access controls meet HIPAA standards.

Safe recording workflows

• Prefer local recording to an encrypted, enterprise‑managed drive with role‑based access and centralized Access Logs.
• If cloud recording is permitted, restrict who can record, require meeting‑start consent prompts, and watermark shared content.
• Disable auto‑transcription and smart summaries unless explicitly approved and covered by the BAA; these can capture PHI.
• Apply retention and auto‑deletion policies immediately; tag recordings containing PHI for stricter handling.

Restrict Screen Sharing and Chat

Minimize exposure paths

• Set screen sharing to “Host only” by default; grant temporary share rights when needed.
• Disable annotation, remote control, whiteboard for external attendees, and file transfer in chat unless business‑critical and approved.
• Encourage “share a window” or “share a portion of screen” to avoid accidental PHI disclosure from other applications.
• Configure chat to “Host and panelists only” during patient encounters, and post a reminder not to place PHI in chat.

Activate Waiting Rooms and Lock Meetings

Strong admission controls

• Require unique meeting IDs and passcodes; avoid Personal Meeting IDs for external sessions.
• Enable Waiting Rooms, disable “Join before host,” and restrict entry to “authenticated users only” when feasible.
• Use the participant list to positively identify attendees; remove unknown or mislabeled users immediately.
• Lock the meeting once required participants have joined.

Set Retention Policies

Retention aligned to minimum necessary

• Define distinct retention for recordings, transcripts, whiteboards, and chat. Shorten retention for PHI; auto‑delete by default.
• Apply legal hold workflows for investigations or litigation without suspending global deletion policies unnecessarily.
• Retain HIPAA documentation (e.g., BAAs, policies, training, risk analyses) for at least six years.

Audit and Document

Build a defensible audit trail

• Enable and centralize Access Logs for logins, meeting creation, participant joins/leaves, recording access, administrator actions, and configuration changes.
• Correlate Zoom logs with endpoint, identity, and network telemetry to reconstruct events quickly.
• Document approved configurations, exceptions, and periodic reviews; record risk analyses and mitigation decisions.

Train Staff

Role‑based, scenario‑driven training

• Teach staff how to verify attendees, use Waiting Rooms, lock meetings, and avoid sharing PHI on screen or in chat.
• Reinforce privacy etiquette: conduct calls in private spaces, use headsets, and prevent shoulder‑surfing.
• Provide quick‑reference guides for hosts and schedulers; run drills on handling unknown joiners or misdirected invites.
• Test comprehension with short assessments and refresh training annually or after major changes.

Patch Software Promptly

Close vulnerabilities fast

• Enable automatic updates for Zoom desktop and mobile apps; block versions below your approved minimum.
• Manage clients via MDM/endpoint tools; remove unused plugins, virtual backgrounds that require external fetches, and deprecated add‑ons.
• Patch operating systems, browsers, and drivers on the same cadence; video security depends on the whole stack.

Monitor for Security Anomalies

Continuous detection using SIEM

• Stream Zoom administrative and activity logs into your Security Information and Event Management (SIEM) platform.
• Create alerts for logins from unusual locations, brute‑force attempts, mass meeting creations, sudden spikes in recording downloads, and policy changes.
• Use UEBA or risk scoring to prioritize investigations; tune rules to reduce false positives.
• Review privileged admin activity daily; require change tickets for configuration updates.

Maintain an Incident Response Plan

Prepare, practice, and act

• Publish a clear Incident Response Plan with contacts, decision trees, and playbooks for common scenarios (unauthorized attendee, leaked link, lost device, misdirected recording).
• Define containment steps: remove participants, lock meeting, revoke links, rotate passcodes, and suspend recording access.
• Preserve evidence: export relevant Access Logs, collect host system details, and snapshot configurations.
• Coordinate notifications and root‑cause analysis; document lessons learned and update controls and training.

Conclusion

HIPAA compliance for Zoom hinges on a signed BAA, strict security settings (E2EE, MFA, Waiting Rooms), disciplined data handling (limited recording, clear retention), and continuous oversight (auditing, SIEM monitoring, and a tested Incident Response Plan). With these controls, you can minimize risk while delivering reliable, patient‑centered video care.

FAQs.

What is a Business Associate Agreement in HIPAA?

A Business Associate Agreement (BAA) is a required contract between a covered entity and a vendor that handles PHI on its behalf. It defines allowed uses and disclosures of PHI, mandates safeguards, outlines breach notification duties, and extends these obligations to subcontractors. You should not use a vendor for PHI until a BAA is fully executed.

How do I enable end-to-end encryption in Zoom?

In the Zoom admin portal, enable End-to-End Encryption (E2EE) and set it as the default for meetings that may include PHI. Instruct users to join from supported Zoom clients, disable phone dial‑in for those meetings, and have participants verify the in‑meeting security code verbally. Be aware E2EE limits features like cloud recording and live transcription.

Can Zoom recordings be HIPAA compliant?

Yes—if your BAA covers recordings and you implement strict controls: restrict who can record, require consent prompts, encrypt storage, limit access by role, maintain Access Logs, and enforce short retention with automatic deletion. If any requirement cannot be met, disable recording for PHI sessions.

What steps ensure HIPAA compliance for video calls?

Secure the vendor with a BAA, enable E2EE, require MFA and SSO, use Waiting Rooms and passcodes, lock meetings, limit or disable cloud recording, restrict screen sharing and chat, apply retention policies, centralize Access Logs, train staff, patch clients promptly, monitor via a SIEM, and maintain a tested Incident Response Plan.