Is Loom HIPAA Compliant? BAA, PHI, and Security Explained

Loom's HIPAA Compliance Status

As of February 5, 2026, Loom is not HIPAA compliant and does not support customers’ HIPAA obligations. The official guidance is clear: Loom cannot sign a Business Associate Agreement (BAA), and you should not transmit or store Protected Health Information (PHI) in Loom. ([support.atlassian.com](https://support.atlassian.com/loom/docs/is-loom-hipaa-compliant/))

Loom’s integration into the Atlassian platform hasn’t changed this status. Atlassian’s Loom help page reiterates that Loom remains unable to sign BAAs and therefore should not be used for PHI. ([support.atlassian.com](https://support.atlassian.com/loom/docs/is-loom-hipaa-compliant/?utm_source=openai))

Business Associate Agreements (BAAs)

A Business Associate Agreement is the contract that permits a vendor to create, receive, maintain, or transmit PHI on your behalf and sets security, privacy, and breach-notification obligations. Loom does not offer a BAA, so it cannot act as your HIPAA business associate. ([support.atlassian.com](https://support.atlassian.com/loom/docs/is-loom-hipaa-compliant/))

By contrast, Atlassian can execute BAAs for certain Atlassian Cloud products like Jira, Jira Service Management, and Confluence—but this BAA coverage does not extend to Loom. If you need to handle Electronic Protected Health Information (ePHI) within the Atlassian ecosystem, you must use HIPAA-eligible apps covered by Atlassian’s HIPAA program and signed BAA. ([support.atlassian.com](https://support.atlassian.com/organization-administration/docs/understand-hipaa-compliance-for-atlassian-products/?utm_source=openai))

Handling Protected Health Information (PHI)

PHI (and ePHI) includes any individually identifiable health information in any form or medium. Because Loom does not provide a BAA, uploading, recording, sharing, or storing PHI in Loom would violate HIPAA requirements. The vendor explicitly instructs users not to send personal health information to Loom. ([support.atlassian.com](https://support.atlassian.com/loom/docs/is-loom-hipaa-compliant/))

If your workflows involve clinical content, switch to a HIPAA-eligible platform with a signed BAA before you capture or share any PHI. This is essential for alignment with the HIPAA Security Rule and to maintain defensible Compliance Risk Management.

Security Measures Implemented by Loom

Although Loom is not HIPAA compliant, it does offer enterprise security features that help protect general business content. Admins can configure Single Sign-On (SSO) and Directory Sync (SCIM) to centralize identity, provisioning, and deprovisioning. ([support.atlassian.com](https://support.atlassian.com/loom/docs/configure-sso-and-directory-sync-scim?utm_source=openai))

Loom also provides granular video privacy options—such as restricting access to workspace members instead of open link sharing—to strengthen Data Privacy Controls for non-PHI use cases. ([support.atlassian.com](https://support.atlassian.com/loom/docs/use-looms-privacy-settings/?utm_source=openai))

For assurance reporting, Atlassian publishes SOC 2 attestation materials, including reports specific to Loom, which organizations can review under NDA. This supports due diligence for general security reviews, even though it does not make Loom HIPAA compliant. ([atlassian.com](https://www.atlassian.com/trust/compliance/resources/soc2?utm_source=openai))

Recommendations for Healthcare Providers

If you handle PHI, do not use Loom. Choose a platform that will sign a Business Associate Agreement and provides HIPAA-eligible configurations. Validate that the vendor’s controls align with the HIPAA Security Rule and your Information Security Policy, and ensure all PHI flows are documented in your Compliance Risk Management program.

Strengthen governance by enforcing least-privilege access, disabling public link sharing, setting retention and eDiscovery policies, and training staff on PHI handling. Establish an incident response playbook for accidental PHI exposure and require BAAs from any integrated third parties that may process ePHI.

Risks of Using Non-HIPAA Compliant Tools

Using a tool that won’t sign a BAA introduces regulatory and contractual risk, including potential HIPAA violations and breach notification obligations. It also increases exposure to unauthorized disclosure (for example, “anyone with the link” sharing), weakens auditability, and complicates legal holds and record retention. In short, non-compliant tooling can undermine both patient trust and organizational risk posture.

Alternatives for HIPAA-Compliant Video Communication

• Zoom for Healthcare: Offers a BAA and HIPAA-ready controls for meetings, chat, and, when enabled, additional products; verify configuration aligns with your policies. ([zoom.com](https://www.zoom.com/en/trust/legal-compliance/faq/?utm_source=openai))
• Microsoft Teams (via Microsoft 365): Microsoft provides a HIPAA BAA through its Data Protection Addendum for in-scope cloud services, including Teams, when properly configured. ([learn.microsoft.com](https://learn.microsoft.com/en-us/compliance/regulatory/offering-hipaa-hitech?utm_source=openai))
• Google Meet (via Google Workspace): Covered under Google’s HIPAA BAA for included functionality; ensure you’ve executed the BAA and configured Meet accordingly. ([workspace.google.com](https://workspace.google.com/terms/2015/1/hipaa_functionality/?utm_source=openai))
• Doxy.me: Purpose-built telehealth platform that will sign a BAA (including options for clinics) and is designed for HIPAA-compliant virtual visits. ([help.doxy.me](https://help.doxy.me/en/articles/95854-is-doxy-me-hipaa-compliant?utm_source=openai))
• VSee: Telemedicine suite that offers a BAA and security controls suited for clinical workflows. ([help.vsee.com](https://help.vsee.com/kb/articles/is-vsee-hipaa-compliant?utm_source=openai))

Conclusion

Loom is not HIPAA compliant and does not sign BAAs, so you should not use it for PHI. If your use case touches clinical content, move to a HIPAA-eligible platform with a signed BAA, implement robust Data Privacy Controls, and anchor your processes to a clear Information Security Policy and the HIPAA Security Rule. ([support.atlassian.com](https://support.atlassian.com/loom/docs/is-loom-hipaa-compliant/))

FAQs.

Is Loom able to sign a Business Associate Agreement?

No. Loom explicitly states it cannot sign BAAs to support HIPAA compliance. ([support.atlassian.com](https://support.atlassian.com/loom/docs/is-loom-hipaa-compliant/))

Can Loom be used to share protected health information?

No. Because Loom does not offer a BAA, you should not upload, record, or share PHI or ePHI using Loom. ([support.atlassian.com](https://support.atlassian.com/loom/docs/is-loom-hipaa-compliant/))

What are the risks of using Loom for healthcare communication?

Without a BAA, any PHI handled in Loom may constitute a HIPAA violation, creating regulatory, legal, and reputational risk. Link-based sharing can also increase inadvertent exposure, and the absence of HIPAA-aligned safeguards complicates auditing and incident response.

What alternatives exist for HIPAA-compliant video messaging?

Consider Zoom for Healthcare, Microsoft Teams under the Microsoft 365 BAA, Google Meet under the Google Workspace BAA, Doxy.me, or VSee. Each can provide a BAA and offers HIPAA-eligible configurations when set up correctly. ([zoom.com](https://www.zoom.com/en/trust/legal-compliance/faq/?utm_source=openai))