Is Zoom HIPAA Compliant? Plans, BAA, and How to Set It Up

Is Zoom HIPAA compliant? It can be—when you choose an eligible plan, execute a Business Associate Agreement (BAA), and configure the platform to protect Protected Health Information (PHI) in line with the HIPAA Security Rule. This guide walks you end-to-end through plan selection, contracting, security hardening, and operational safeguards.

Your goal is defensible compliance: the right subscription, documented agreements, risk analysis documentation, access control policies, and audit trails, reinforced by staff training. Follow each section in order to minimize gaps and make Zoom a dependable part of your clinical or administrative workflow.

Selecting Eligible Zoom Plans

Start by confirming that your subscription supports a BAA. Free and many entry-level tiers are not appropriate for PHI. Eligible options typically include healthcare-focused or business/enterprise plans that explicitly provide BAAs and advanced admin controls.

Plan selection checklist

• BAA availability: the plan must allow a signed Business Associate Agreement (BAA) with Zoom.
• Security capabilities: encryption in transit, recording controls, data retention settings, and admin policy enforcement.
• Identity and access: SSO/SAML support, SCIM provisioning, multi-factor authentication (MFA), and role-based administration.
• Monitoring: detailed logs for sign-ins, meetings, and recording access to build complete audit trails.
• Support and uptime: enterprise support and SLA appropriate for clinical operations.

Document why the plan is eligible, who approved it, and the date of purchase. Store this in your vendor inventory and risk register to anchor downstream compliance work.

Executing a Business Associate Agreement

The BAA defines how Zoom, as a business associate, safeguards PHI and supports breach notification and subcontractor obligations. Without an executed BAA, you should not create, receive, maintain, or transmit PHI through Zoom.

How to complete the BAA

• Designate your legal entity and authorized signer.
• Request the BAA through your Zoom admin portal or sales representative as required by your plan.
• Review permitted uses/disclosures, security responsibilities, breach timelines, and any feature-specific exclusions.
• Execute electronically and obtain a countersigned copy; record effective dates and covered services.
• Store the agreement centrally, link it to your vendor inventory, and capture it in your risk analysis documentation.

After signing, communicate any BAA-driven restrictions (for example, limitations on cloud recording or third-party apps) to your admins and users so your technical configuration and user behavior match contractual terms.

Configuring Security Settings

Configuration turns policy into protection. Align settings with your risk tolerance and the HIPAA Security Rule, and revisit them after platform updates. End-to-End Encryption (E2EE) can add privacy but may limit certain features; weigh benefits against workflow needs.

Account and authentication

• Require SSO/SAML for all users; enable MFA for admins and clinical roles.
• Enforce strong passwords, session timeouts, and automatic client updates.
• Use RBAC to restrict admin privileges; separate security, billing, and user-management roles.

Meeting and webinar safeguards

• Require meeting passcodes and enable Waiting Room by default; admit only intended participants.
• Limit screen sharing to the host; disable participant annotation and remote control unless needed.
• Restrict file transfer and chat to necessary use; avoid storing PHI in chat whenever possible.
• Enable “Only authenticated users can join”; consider domain restriction for workforce-only sessions.
• Disable personal meeting IDs for patient sessions; use unique, time-bound meeting IDs.

Recording and transcripts

• Disable cloud recording by default; if enabled, restrict who can view/download and require authentication.
• Apply retention limits, watermarking, and download controls; store recordings where enterprise access control policies apply.
• Treat transcripts and captions as PHI; manage them under the same safeguards as recordings.

Apps, integrations, and data routing

• Approve Marketplace apps centrally; block unvetted integrations that could exfiltrate PHI.
• Limit use of experimental or AI features that process content outside your control.
• Where available, set data-routing preferences and disable unnecessary external connectivity.

Performing Risk Analysis

A risk analysis identifies threats to the confidentiality, integrity, and availability of PHI across your Zoom use cases. It produces actionable risk analysis documentation and a risk management plan—cornerstones of HIPAA compliance.

Method and artifacts

• Scope: inventory users, devices, meetings, recordings, transcripts, and connected systems.
• Data flow mapping: chart where PHI is created, transmitted, stored, and deleted.
• Threats and vulnerabilities: unauthorized access, misconfiguration, lost devices, phishing, and overbroad sharing.
• Risk evaluation: rate likelihood and impact; record existing controls and gaps.
• Treatment plan: assign owners, deadlines, and metrics; track residual risk and acceptance.
• Evidence: retain screenshots, policies, and change logs to prove controls are implemented and maintained.

Repeat the analysis periodically and whenever you change plans, enable new features, integrate third-party apps, or experience security incidents.

Implementing Access Controls

Strong access control policies ensure only the right people access ePHI. Start with least privilege and unique user IDs, then layer in identity automation and device safeguards.

• Provisioning: use SCIM to automate joiner/mover/leaver changes; promptly disable departed users.
• MFA: require for admins and any role with access to recordings or account settings.
• RBAC: separate hosts, schedulers, help desk, and security admins; audit roles quarterly.
• Session and device controls: enforce timeouts, restrict unmanaged devices, and require client updates.
• Sharing controls: prohibit public links to recordings; prefer authenticated, time-limited access.

If you use Zoom Phone or Chat with PHI, align retention and export rules with your records policy and ensure those features are covered by the BAA and your risk posture.

Enabling Audit Logging

Audit trails are essential for detecting misuse and supporting investigations. Configure logging broadly, retain logs long enough for your regulatory and operational needs, and review them routinely.

• Capture admin actions, role changes, SSO sign-ins, and security setting modifications.
• Log meeting creation, join/leave events, and Waiting Room admissions for sensitive sessions.
• Track recording creation, access, sharing, and downloads; alert on public exposure attempts.
• Export logs to a SIEM; build alerts for anomalous access, foreign logins, and mass downloads.

Define ownership for daily alert triage and periodic trend reviews. Keep a documented escalation path and preserve chain-of-custody for any security incident evidence.

Training Staff on Compliance

Technology cannot compensate for uninformed behavior. Train your workforce so users know how to recognize PHI, configure meetings safely, and respond to issues quickly.

• PHI awareness: what counts as PHI, where it can appear (video, audio, chat, shared screens), and how to minimize exposure.
• Secure sessions: verifying participant identity, using Waiting Rooms, and locking meetings.
• Screen sharing hygiene: share specific windows, close unrelated apps, and clear on-screen notifications.
• Recording discipline: when recording is allowed, consent requirements, and secure storage practices.
• Account safety: SSO use, MFA prompts, phishing recognition, and reporting lost/stolen devices.
• Incident response: how to report misdirected invites, unauthorized attendees, or mistaken disclosures.

Conclusion

Zoom can support HIPAA obligations when you pair an eligible plan and BAA with rigorous configuration, documented risk analysis, disciplined access controls, continuous audit logging, and focused training. Treat these steps as an ongoing program, not a one-time setup, to keep PHI protected and operations reliable.

FAQs.

What Zoom plans are HIPAA compliant?

Plans that support a Business Associate Agreement and enterprise controls can be configured for HIPAA use—commonly healthcare-focused or business/enterprise tiers. Free plans are not appropriate for PHI, and you must still configure security settings and operations to align with the HIPAA Security Rule.

How do I sign a BAA with Zoom?

Select an eligible plan, request the BAA through your admin portal or sales, confirm your covered entity details, and execute the agreement electronically. Store the countersigned copy and link it to your vendor inventory and risk analysis documentation before using Zoom with PHI.

What security settings are required for HIPAA compliance?

HIPAA is risk-based, not feature-prescriptive. A practical baseline includes SSO and MFA, meeting passcodes with Waiting Rooms, host-only screen sharing, restricted chat and file transfer, authenticated access only, tight recording/transcript controls, robust logging, and optional End-to-End Encryption where it fits your workflow.

How often should risk analysis be conducted?

Conduct risk analysis on a periodic basis—commonly annually—and whenever material changes occur, such as enabling new features, integrating apps, changing plans, or after a security incident. Update findings, treatment plans, and evidence to keep documentation current and defensible.