Is GoToMeeting HIPAA Compliant? BAA, Security Features, and Setup Guide

Overview of HIPAA Compliance

GoToMeeting can support HIPAA compliance when you implement the right safeguards and have a signed Business Associate Agreement (BAA). HIPAA focuses on protecting Protected Health Information (PHI) through administrative, physical, and technical controls, not on a vendor’s “certification.”

Compliance is a shared responsibility. You must combine vendor capabilities with your policies, Access Controls, and user training. This guide explains the BAA, core security features, and a practical Secure Meeting Configuration you can apply today.

This article is informational and does not constitute legal advice. Always confirm requirements with your compliance team and counsel.

Understanding Business Associate Agreement (BAA)

A Business Associate Agreement (BAA) is the contract that permits a service provider to handle PHI and defines required safeguards, breach notification duties, and permitted uses. You should not create, transmit, or store PHI with GoToMeeting until a BAA is executed.

• Verify your plan supports a BAA and confirm the specific services and features covered.
• Execute the BAA with GoTo and retain a signed copy with your compliance documentation.
• Review scope carefully (live meetings, recordings, transcripts, storage, support access) and disable any non‑covered features.
• Map BAA obligations to internal policies: minimum necessary PHI, retention, user provisioning, and incident response.
• Designate contacts for security events and ensure breach reporting timelines are understood.

Encryption and Data Protection

Protecting PHI hinges on strong encryption and disciplined data handling. GoToMeeting traffic is protected in transit using modern transport security, and media streams are typically secured using protocols that apply AES 128-bit encryption or stronger.

• In transit: Signaling and media are encrypted to mitigate interception risks. Screensharing, audio, and video traverse encrypted channels.
• At rest: If you enable cloud recordings or store artifacts (chat, transcripts), ensure they remain encrypted at rest and access is tightly restricted.
• Key management: Limit who can access encryption keys and ensure administrative Access Controls follow least‑privilege principles.
• Data minimization: Avoid storing recordings or transcripts that contain PHI unless policy requires it; set short retention periods and automate deletion.

User Access Controls and Authentication

Strong identity and role design keep PHI away from unauthorized users. Align your account with enterprise identity, enforce multi‑factor authentication, and apply granular Access Controls at both admin and meeting levels.

• Single Sign‑On (SSO): Integrate with your IdP (SAML/OIDC) and require MFA for all organizers and admins.
• Risk-Based Authentication: Use your IdP’s risk signals (device posture, IP, geolocation, behavior) to step up challenges when risk is elevated.
• Roles and least privilege: Restrict admin rights, limit who can schedule or record meetings, and grant co‑organizer privileges only when needed.
• Participant authentication: Require authenticated users to join; disable anonymous joining for PHI‑related sessions.
• Provisioning: Automate via SCIM (if available) so departures immediately lose access; audit group memberships regularly.
• IP and device hygiene: If your environment supports it, allowlist corporate networks and block unmanaged devices from organizing meetings with PHI.

Audit Controls and Reporting

HIPAA requires the ability to examine system activity. Use Audit Logs and meeting reports to trace who accessed PHI and what actions they took, then retain those records per policy.

• Meeting activity: Organizer, attendees, join/leave times, and host actions (lock, mute, remove) for accountability.
• Administrative changes: Creation of users, role updates, SSO/MFA policy changes, and security setting edits.
• Recording access: Who created, viewed, downloaded, or shared recordings and transcripts.
• Export and integration: Regularly export logs to your SIEM; set alerts for anomalies (off‑hours access, repeated failures, unusual sharing).
• Retention: Define retention for logs and reports that balances compliance needs with data minimization.

Configuring Security Settings

Apply a Secure Meeting Configuration as your default policy and enforce it across all organizers. Test changes in a pilot group before global rollout.

1. Confirm BAA execution and document covered features before handling PHI.
2. Enforce SSO with MFA for all admins and organizers; block basic credentials where possible.
3. Require meeting passwords for every session and include authentication gates for participants.
4. Enable lobby/waiting room; disable “join before organizer.” Admit only recognized participants.
5. Limit screen sharing to “Organizer only” by default; allow specific presenters as needed.
6. Disable remote control for PHI‑related sessions unless policy explicitly permits and the action is logged.
7. Lock the meeting after all expected participants join; enable notifications when new users request entry.
8. Turn off cloud recording by default. If business needs require it, restrict access, use short retention, and avoid capturing PHI whenever possible.
9. Control chat and file transfer. Disable or limit to host‑only; purge chat logs according to retention rules.
10. Use one‑time meeting IDs for PHI discussions; avoid reusing personal meeting rooms.
11. Set automatic update policies for desktop and mobile apps; block outdated clients from joining.
12. Apply data retention and deletion schedules for recordings, transcripts, and Audit Logs to minimize exposure.
13. Add clear calendar invite language reminding attendees not to share unnecessary PHI and to join from private spaces.
14. Periodically review configuration drift and reconcile settings to your baseline policy.

Staff Training and Best Practices

Technology controls succeed only when people use them correctly. Provide role‑specific training and reinforce behaviors that reduce PHI exposure in meetings.

• Identify PHI and follow the minimum necessary PHI standard; avoid verbalizing or displaying full identifiers unless required.
• Verify participant identity before sharing PHI; re‑verify if someone joins late or reconnects.
• Host from private spaces with headsets; avoid public Wi‑Fi. Close EHR and messaging apps not needed for the call.
• Share a single application window instead of your entire desktop; double‑check notifications and overlays are off.
• Announce and document consent before recording; prefer not to record when PHI is discussed.
• Do not paste PHI into chat; if necessary, use approved secure messaging channels after the meeting.
• Review Access Controls and Audit Logs regularly; report and investigate anomalies promptly.

Conclusion

GoToMeeting can be used in a HIPAA‑aligned way when you pair a signed BAA with strong encryption practices, rigorous Access Controls, comprehensive Audit Logs, and disciplined user training. Standardize a Secure Meeting Configuration, monitor for drift, and keep policies and training current to consistently protect PHI.

FAQs.

What is required to make GoToMeeting HIPAA compliant?

You need a signed Business Associate Agreement (BAA), a Secure Meeting Configuration that enforces passwords, lobbies, and least‑privilege sharing, strong identity controls (SSO + MFA), defined retention for recordings and logs, and ongoing staff training. Compliance results from this combined program, not from software alone.

How does GoToMeeting protect PHI during meetings?

PHI is protected primarily through encryption in transit (including AES 128-bit encryption for media streams), authenticated access, and organizer controls such as waiting rooms, meeting locks, and restricted screen sharing. Keeping recordings off by default and minimizing stored data further reduces exposure.

What security features does GoToMeeting provide for HIPAA users?

Key features include meeting passwords, lobbies, lock controls, organizer‑only sharing, participant authentication, role‑based Access Controls, Audit Logs and reports, and support for SSO with MFA. When paired with your IdP, you can also apply Risk-Based Authentication to step up verification on higher‑risk sign‑ins.

How do I configure GoToMeeting for HIPAA compliance?

Execute the BAA, enforce SSO + MFA, require passwords and authenticated participants, enable the lobby, limit screen sharing, disable remote control and cloud recording by default, set retention for any stored content, and routinely review Audit Logs. Apply these settings as a standardized Secure Meeting Configuration across all organizers.