Is Zoom HIPAA Compliant? A Complete Guide for Healthcare Organizations For 2026

What Counts as Protected Health Information (PHI)?

PHI includes any information that identifies a person and relates to their health, treatment, or payment. This covers obvious items such as names, dates of service, diagnoses, and medical record numbers. It also covers less obvious items like voice recordings, video that includes a patient’s face, or a patient’s full birth date when tied to a medical issue. If you discuss a patient’s condition or treatment over a video call, that spoken information is PHI and must be protected just like a written record.

Who Must Comply with HIPAA?

HIPAA applies to two main groups. Covered entities include healthcare providers, health plans, and healthcare clearinghouses. Business associates are vendors that create, receive, maintain, or transmit PHI on behalf of a covered entity. When used for clinical purposes, Zoom acts as a business associate because it processes PHI on behalf of providers. That makes the BAA and other compliance controls essential.

Why Telehealth Platforms Fall Under HIPAA Rules

As virtual care became routine, video platforms moved directly into clinical workflows. If a platform is used for patient consultations, care coordination, or sharing clinical screens, it now handles PHI. Under the Security Rule, any system that transmits or stores ePHI must implement administrative safeguards (policies, training), physical safeguards (device protections), and technical safeguards (encryption, access controls). Telehealth platforms are no exception.

What Is Zoom and How Is It Used in Healthcare?

Zoom is one of the most widely recognized video conferencing platforms in the world. For healthcare, it offers a version specifically designed to meet clinical needs, but not all versions of Zoom are the same.

What Is Zoom for Healthcare?

Zoom for Healthcare is the purpose-built, HIPAA-eligible version of the platform. It was originally launched in 2017 under the name Zoom for Telehealth and is now called Zoom Workplace for Healthcare. It includes features that go well beyond the standard version, such as EHR integration with Epic, telehealth workflow support, detailed access controls, and full audit logging.

The healthcare version is built with compliance in mind from the start. It supports the kind of documentation, access management, and security oversight that healthcare organizations need when PHI is involved in a session.

Standard Zoom vs. Zoom for Healthcare

Not all Zoom plans are created equal. Here is a clear comparison:

The differences are significant. Using the wrong plan is not just a minor oversight; it is a compliance failure from the very first patient call.

Who Uses Zoom in the Healthcare Industry?

Zoom for Healthcare is used across a wide range of clinical settings. Physicians use it for follow-up appointments and chronic disease management. Therapists and psychiatrists rely on it for ongoing mental health sessions. Care teams use it for coordination across departments or facilities. Health plans and clearinghouses use it for administrative communication involving member data.

The most common use cases include one-on-one patient consultations, provider-to-provider collaboration on complex cases, care coordination between specialists and primary care teams, and virtual events for health education or group programs.

Is Zoom HIPAA Compliant? The Direct Answer

The short answer is: it depends on how you use it.

Zoom is HIPAA compliant when:

• You are on a qualifying paid plan (Pro, Business, Business Plus, or Enterprise)
• You have signed a BAA with Zoom before using it for patient care
• You have configured the platform’s security settings correctly
• Your staff uses Zoom in line with HIPAA’s Privacy Rule requirements

Zoom is not HIPAA compliant when:

• You are using a free or Basic Zoom account; no BAA is available on these plans
• You are on a paid plan, but have not signed the BAA
• You have signed the BAA, but have not configured the required security settings

One more thing worth noting: Zoom is not officially “HIPAA certified.” No government body certifies video platforms as HIPAA compliant. Compliance is always a combination of what the vendor provides and how your organization uses it. Zoom gives you the tools, but you are responsible for using them correctly.

The Business Associate Agreement: The Legal Core of Zoom HIPAA Compliance

The BAA is not a formality. It is the legal foundation that makes HIPAA-compliant use of Zoom possible.

What is a BAA, and Why You Cannot Skip It

A BAA is a legally binding contract required by the HIPAA Privacy Rule before your organization can share any patient information with a vendor, including Zoom. A signed BAA must be in place. No exceptions.

Without it, any PHI transmitted through Zoom is a violation. It does not matter how strong the encryption is or how well your staff is trained. No BAA means you are out of compliance before the session even begins.

The BAA holds Zoom accountable. It requires Zoom to protect PHI with appropriate safeguards, report any breach involving your data, and ensure its subcontractors meet HIPAA standards, too.

It is worth knowing what the BAA covers: Zoom Meetings, Video Webinars, Zoom Phone, Zoom Rooms, Zoom Team Chat, and the Zoom client. Two limitations to keep in mind: Zoom offers a standard BAA only, meaning you cannot modify or replace it with your own version. Also, certain AI Companion features are restricted once a BAA is active, which we cover later in this guide.

Which Zoom Plans Qualify for a BAA?

The following plans are eligible for a BAA: Pro, Business, Business Plus, and Enterprise. Custom pre-paid packages in one-, two-, and three-year increments are also available through Zoom Sales for organizations that need longer-term arrangements.

Free and Basic Zoom accounts cannot enter into a BAA under any circumstances. If anyone in your organization is using a free Zoom account for patient calls, that is a violation – full stop.

How to Sign a BAA with Zoom

The process depends on your situation:

The sign-up process varies depending on your plan and account status. New customers on Business, Business Plus, or Enterprise plans should contact Zoom Sales directly. Customers on a Pro plan can typically complete the BAA through their billing portal online. Because Zoom updates this process periodically, always refer to Zoom’s current support documentation at support.zoom.com for the most accurate steps before proceeding.

Zoom’s Security Features That Support HIPAA Compliance

Zoom for Healthcare includes a strong set of technical safeguards. Understanding what each one does and why it matters for HIPAA helps you use them with purpose.

End-to-End AES-256 Encryption

All audio, video, chat, and screen sharing data is encrypted in transit using AES-256-bit GCM encryption, with TLS 1.2 used for signaling. This is among the strongest encryption available for commercial platforms. When the option is enabled, recordings and chat files can also be encrypted at rest.

This directly addresses HIPAA’s transmission security requirement under §164.312(e), which requires covered entities to protect ePHI whenever it is sent over an electronic network. AES-256 encryption meets and exceeds that standard.

Waiting Rooms, Passcodes, and Meeting Lock

Waiting rooms are one of the most important controls available in Zoom for Healthcare. They prevent any participant from entering a session until the host admits them individually. This means a patient cannot accidentally join the wrong call, and an uninvited person cannot slip into a clinical session unnoticed.

Passcodes add another layer of access control. Even if someone gets hold of a meeting link, they still need the passcode to enter. Meeting lock goes one step further. Once all expected participants have joined, the host can lock the meeting so no one else can enter at all.

These features directly support HIPAA’s access control requirements under §164.312(a), which require covered entities to allow access to ePHI only to authorized individuals.

Role-Based Access and User Authentication

Not everyone on your Zoom account should have the same permissions. Role-based controls in Zoom for Healthcare allow you to ensure that only licensed hosts can start or record meetings. All accounts require verified email addresses and passwords. Automatic meeting timeouts add one more layer of protection by ending idle sessions before they become a security risk.

Audit Logs and Activity Reporting

Zoom logs all connections, meeting activities, and user actions within your account. These logs give your Security Officer the visibility they need to review what happened in any given session: who joined, when, what was shared, and whether any recordings were made or downloaded.

This supports HIPAA’s audit control requirements under §164.312(b), which require organizations to implement hardware, software, and procedural mechanisms to record and examine activity in systems that contain ePHI.

Recording Encryption and Storage Controls

Cloud recordings can be encrypted, and access can be restricted to specific user groups. Download permissions can be limited to hosts only, and recordings can be password-protected. Local recording options are also available, though these require careful management to ensure recordings end up in HIPAA-compliant storage locations.

The key principle: wherever a recording is stored, that location must be covered by a BAA and meet HIPAA’s security requirements. A recording saved to a personal laptop or a non-compliant cloud folder is a PHI exposure – even if the call itself was fully secured.

AI Features Under a BAA – What Is and Is Not Available

In 2023, Zoom introduced AI Companion features across all subscription tiers. These tools include meeting summaries, transcription assistance, and chat drafting support. When a BAA is active, certain AI Companion features are automatically restricted or turned off.

The important reassurance here is that Zoom does not use your organization’s audio, video, chat, screen sharing, or other session content to train its AI models. Account administrators can manage which AI features are active within their account settings. Before enabling any AI feature, check Zoom’s current BAA documentation to confirm whether it is permitted under your agreement.

How to Configure Zoom for HIPAA Compliance

Signing the BAA is the starting point – not the finish line. Your account must also be configured correctly. Here is what that looks like in practice.

Account-Level Security Settings to Lock

These settings should be enabled and locked at the account administrator level so that no individual user can change them:

• Waiting Room: Enabled and locked on for all meetings
• Passcode requirement: Required for all meetings and webinars
• Join before host: Disabled; patients should not be able to enter a session before the provider is present
• Guest participant identification: Enabled; hosts can see who is external to their account
• Sound notification: Enabled when participants join or leave, so hosts are always aware of who is in the session

Meeting-Level Controls That Protect PHI

These settings protect patient information during live sessions:

• Screen sharing: Set to Host Only; participants cannot share their screens
• Remote control: Disabled; no one can take control of another participant’s screen
• Remote support: Disabled
• Far-end camera control: Disabled
• File transfer via chat: Disabled; no documents or files should be shared through the meeting chat
• Participant annotations: Disabled
• Private chat between participants: Disabled

Recording and Storage Configuration

Under the BAA configuration, cloud recording must be disabled by default. If your organization determines that recordings are necessary for clinical documentation purposes, the following must be in place before any recording is made:

• End-to-end encryption is enabled for all recordings
• Download permissions are restricted to hosts only
• Access passwords set on all recorded sessions
• A defined, HIPAA-compliant storage location for all recordings

Local recordings must also be stored in encrypted, HIPAA-compliant locations. A recording saved to a personal desktop folder, an unencrypted USB drive, or a consumer cloud storage account is not compliant. Automatic transcripts and automatic recording upload features are unavailable under the HIPAA configuration.

Chat and Messaging Settings

Auto-saving chats must be disabled. When this feature is on, chat content can be automatically stored in locations that may not be HIPAA-compliant. Encrypted chat should be enabled for all messages sent within Zoom sessions.

One practical note for your team: when end-to-end encrypted chat is turned on, some features become unavailable, including GIPHY, the ability to edit sent messages, and chat history search. Make sure your staff know this before the setting is enabled so it does not cause confusion during clinical sessions.

Third-Party Endpoint Encryption

If your organization uses H.323 or SIP-based conference room systems, the setting “Require encryption for third-party endpoints” must be enabled. This ensures all data between the Zoom cloud and any connected endpoint is encrypted. Be aware that this setting may prevent some older SIP devices from connecting. Communicate this to your team and any partners who join sessions from room-based systems.

Disabling Live Streaming

All live streaming must be disabled. This includes Facebook Workplace and any custom streaming service integrations. When a session is streamed to an external platform, PHI leaves the BAA-covered environment and enters a service that almost certainly does not have a BAA with your organization. That is an immediate compliance exposure that must be closed.

Common Ways Organizations Violate HIPAA While Using Zoom

Most Zoom-related HIPAA violations are not the result of deliberate wrongdoing. They happen because of gaps in knowledge, inconsistent practices, or reasonable assumptions that turn out to be wrong. Here are the ones we see most often.

Using the Wrong Zoom Plan

Free and standard Zoom accounts do not support a BAA. That means any patient information shared on these plans, even a single call discussing someone’s diagnosis, is a HIPAA violation. This happens more than most compliance teams realize. In smaller practices, especially, a staff member might download Zoom on their own and use their personal account for patient calls, not realizing the difference between their personal account and the organization’s healthcare plan.

The fix: Make clear in policy that only the organization’s HIPAA-eligible Zoom account may be used for any patient communication. Verify that a BAA is executed before any clinical use begins.

Sharing PHI Before Confirming Patient Identity

Imagine a provider starts a Zoom session and immediately begins discussing a patient’s treatment plan before checking whether the right person is on the other end. If the patient gave the meeting link to a family member, or if there was a technical error and the wrong person joined, PHI has now been disclosed to an unauthorized individual.

This violates both the minimum necessary standard and the Privacy Rule’s requirements around authorized disclosures. It is an easy mistake to make when providers are busy and schedules are tight, but it is still a violation.

The fix: Create and document a simple identity verification step that every provider follows at the start of every session, before any clinical discussion begins. Ask the patient to confirm their name, date of birth, or another identifying detail.

Letting Staff Use Inconsistent Meeting Settings

Without organization-wide locked settings, individual users can make their own choices. A well-meaning provider might disable the waiting room because they find it inconvenient. A staff member might turn on cloud recording to keep notes. Someone else might allow file sharing in the chat. None of these people thinks they are creating a compliance problem, but they are.

This is one of the hardest violations to catch because it happens at the individual user level, not the account level. You will not see it unless you actively review audit logs or conduct a compliance check.

The fix: Lock all critical settings at the account administrator level. When settings are locked, individual users cannot change them, regardless of their preferences.

Saving Recordings or Transcripts in the Wrong Location

A common version of this mistake: a provider records a patient session, and at the end of the call, the recording automatically saves to their personal Google Drive. Or an auto-generated transcript gets stored in a shared team folder on a service that has no BAA with the healthcare organization.

The recording itself may have been encrypted and compliant while it was inside Zoom. But the moment it lands in a non-compliant storage location, it becomes a PHI exposure.

The fix: Define your compliant recording storage location in writing before any recordings are made. Restrict recording permissions so that only authorized hosts can record sessions. Train staff on where recordings go and why.

Allowing Patient Data in Chat or Screen Sharing Without Controls

Two of the most overlooked PHI exposure points in live Zoom sessions are the chat window and screen sharing. A staff member might type a patient’s name and appointment details into the group chat for quick reference. A provider might share their EHR screen to discuss test results, not realizing that other documents with other patients’ names are visible in the background.

The fix: Restrict screen sharing to hosts only. Disable participant chat or limit it to host-to-participant messages only. Train your staff to never enter PHI into the Zoom chat window and to review their screen carefully before sharing it.

Signing the BAA Is Not Enough – What Else HIPAA Requires

Signing the BAA and enabling Zoom for Healthcare is not the end of your compliance work. It is the beginning. Many organizations make the mistake of treating the BAA as a completion step rather than a starting point.

What OCR Actually Looks for in a HIPAA Audit

When OCR (Office for Civil Rights) investigates a complaint or a breach, they assume you have a BAA with your vendors. That is table stakes. What they actually look at is your broader compliance program, and this is where most organizations fall short.

OCR will want to see a current and documented risk analysis that covers every system touching PHI, including Zoom. They will look for evidence of ongoing risk management, not just a one-time assessment, but a process that is reviewed and updated regularly. They will ask for workforce training records that show who was trained, on what, and when. They will look for written policies specifically covering telehealth use, the minimum necessary standard, and breach response.

Remember: in 2025, 76% of OCR enforcement actions cited a risk analysis failure as the core issue, not a missing BAA, not an encryption problem, but a failure to assess and document risk. That is a gap that falls entirely on the covered entity.

The Three Layers of Zoom HIPAA Compliance

It helps to think of Zoom compliance in three distinct layers.

• Layer 1 – Zoom’s obligations under the BAA: Zoom is responsible for safeguarding PHI within its platform, reporting any breach involving your data, maintaining its technical controls, and ensuring its subcontractors also meet HIPAA standards. This is Zoom’s job.
• Layer 2 – Your IT and Security team: Your team is responsible for configuring the platform correctly, managing access controls, reviewing audit logs on a regular basis, and overseeing any integrations between Zoom and your other clinical systems.
• Layer 3 – Your workforce: Every person who uses Zoom for patient care carries compliance responsibility. That means verifying patient identity before every session, following your policies about chat and screen sharing, storing recordings correctly, and knowing when and how to report a potential breach.

Most Zoom-related HIPAA violations happen in Layers 2 and 3. Both layers are entirely the covered entity’s responsibility.

Policies, Training, and Risk Management for Zoom Use

Technology alone does not create compliance. You need documented policies, a trained team, and a regular process for assessing risk.

Five Policies Your Organization Needs Before Going Live on Zoom

Before any clinical use of Zoom begins, five policies must be in place:

1. Telehealth use policy – defines when and how Zoom may be used for patient care, including which staff are authorized to conduct virtual sessions
2. Minimum necessary standard policy – provides guidance on what PHI may be discussed or displayed during a session, and what should not be shared.
3. Patient identity verification procedure – a step-by-step protocol that every provider follows before discussing any clinical information in a session
4. Recording and storage policy – defines who is authorized to record sessions, where recordings must be stored, how long they are retained, and who can access them.
5. Incident response plan – outlines the steps your organization takes if PHI is accidentally disclosed during a Zoom session, including how to document the incident and when to report it.

What Zoom-Specific HIPAA Training Must Cover

Annual HIPAA training must include a dedicated module on secure telehealth practices. At a minimum, that module should cover how to verify patient identity at the start of a session, why PHI must never be entered into the Zoom chat, which settings are locked and why they cannot be changed, how to handle recordings and where they must be stored, and how to recognize and report a potential breach.

Every training session must be documented. That means keeping records of who completed training, what was covered, and when. Staff attestations signed acknowledgments that training was received and understood are part of the documentation OCR may request.

New employees should complete Zoom-specific HIPAA guidance as part of onboarding, before they participate in any clinical session.

How to Include Zoom in Your Annual Risk Assessment

Every system that creates, receives, maintains, or transmits PHI must be part of your annual risk analysis. Zoom is no exception. When assessing Zoom specifically, your analysis should cover access controls, encryption configuration, recording storage practices, EHR integration data flows, and the behavior risks associated with how your staff uses the platform.

Risk assessment findings must be documented. More importantly, they must be followed by a risk management plan that actually addresses the gaps you find. A risk assessment that sits in a folder with no follow-up action is not useful to your organization, and it is not what OCR wants to see.

Managing all of this manually, policies, training records, and risk documentation, is one of the most common compliance gaps we see at ComplyAssistant. Our HIPAA Compliance Software brings it all together in one place, so your team can manage policies, track training completion, and maintain audit-ready risk documentation without juggling spreadsheets and shared drives.

Who Is Responsible When Zoom Is Used Non-Compliantly?

HIPAA compliance is not a job for one person. But it does assign specific responsibilities to specific roles.

The Security Officer’s Role

The Security Officer is responsible for ensuring Zoom is configured correctly and that technical safeguards remain in place. Key duties include owning risk assessments for technology systems, reviewing audit logs for anomalies (like unauthorized downloads or repeated failed logins), and managing access controls and integrations. They should also document configuration decisions and perform periodic technical reviews.

The Privacy Officer’s Role

The Privacy Officer ensures the workforce uses Zoom in line with the HIPAA Privacy Rule. Responsibilities include enforcing the minimum necessary standard during sessions, managing patient privacy complaints related to telehealth, reviewing telehealth consent and identity verification processes, and ensuring staff training is complete and documented.

Penalties for Using Zoom Without a BAA or Proper Configuration

If you use Zoom without a BAA or proper configuration, civil penalties range from $141 per violation for unknowing violations up to $71,162 per violation for willful neglect that was never corrected, with annual maximums reaching $2,134,831. Deliberate misuse of PHI can also trigger criminal penalties of up to $250,000 and 10 years in prison. The covered entity is liable, not Zoom. If a breach results, mandatory notification requirements and reputational consequences follow.

Zoom HIPAA Compliance Across the Patient Visit Lifecycle

Compliance is not just about the settings you enable before a call. It runs through the entire patient visit – before, during, and after.

Before the Visit – Scheduling, Consent, and Identity Verification

Before a session starts, take these steps:

• Don’t post meeting links publicly. Send links only via secure channels to the patient.
• Obtain and document patient consent for telehealth before care is delivered.
• Communicate and require an identity verification step (e.g., confirm name and date of birth).
• Review Zoom-EHR integrations and document where PHI flows. Clearly defined scheduling, consent, and identity steps reduce the risk of wrong-patient disclosures and help you meet Privacy Rule obligations.

During the Visit – PHI Exposure Points in a Live Session

Once the call begins, these are the moments where PHI exposure is most likely to occur:

• Discussing more information than is necessary for the visit
• Sharing a screen before checking whether any unintended PHI is visible
• Typing patient information into the Zoom chat window
• Beginning clinical discussion before confirming the patient’s identity
• Having visible documents, notes, or screens in the background of your video feed

Use a virtual or neutral background to prevent anything visible in your physical space from appearing on camera. Review your screen before you share it. Keep the chat clear of any patient-specific information.

After the Visit – Recordings, Transcripts, and EHR Documentation

After the session ends:

• Move recordings to a HIPAA-compliant storage location immediately.
• Review auto-generated transcripts for accuracy before filing or storing.
• Place clinical documentation and visit notes in the EHR rather than keeping session notes in Zoom.
• Apply your retention policy to recordings and transcripts and restrict access to authorized personnel only. These steps prevent PHI from lingering in non-compliant places and maintain a single source of truth for clinical records.

Tracking Zoom as a Business Associate in Your Vendor Risk Program

Treat Zoom as a business associate, not just an app. Track your BAA with expiration dates and renewal reminders. Complete security questionnaires as part of ongoing due diligence. Review updates to Zoom’s service terms, subprocessors, or data practices that could affect your BAA or compliance posture. Vendor oversight is an ongoing duty.

Note on ComplyAssistant: Many organizations focus on configuring Zoom but forget to track it inside their vendor risk program. ComplyAssistant’s Vendor Risk Management Software helps monitor all business associates—BAA status, security questionnaires, and renewal dates—so you can track obligations in one place.

How ComplyAssistant Supports HIPAA Compliance Beyond Zoom

Zoom gives your organization a HIPAA-eligible video platform. But the platform is only one piece of a complete compliance program. The policies, risk assessments, vendor tracking, and staff training that OCR expects to see are the work that surrounds the technology. And that is where ComplyAssistant comes in.

With over 25 years of experience in healthcare compliance, we give you the software and expert support to manage it all – from policy and training documentation to vendor BAA tracking, risk assessments, internal audits, and ongoing program leadership through our Virtual CISO Services.

Whether you are configuring Zoom for the first time or preparing for an OCR audit, we can help you get there. Contact the ComplyAssistant Team today.

Wrapping Up! Is Zoom HIPAA Compliant?

Yes – Zoom for Healthcare is a HIPAA-eligible platform. When you are on the right plan, your BAA is signed, your security settings are properly configured, and your team follows compliant practices in every session, Zoom can be used safely and effectively for telehealth. It is a capable platform that many healthcare organizations rely on every day.

The most common reason organizations face penalties is not a vendor failure; it is an internal one. No risk assessment. Untrained staff. Missing policies. Recordings saved in the wrong place. Zoom can support your compliance program, but it cannot build it for you.

If you are not sure where your organization stands, that is exactly the conversation to have with ComplyAssistant. If you are ready to take the next step, reach out to our team today.

FAQs 

Which Zoom plan is HIPAA compliant?

Pro, Business, Business Plus, and Enterprise plans are eligible for a BAA and can be used for HIPAA-compliant telehealth. Free and Basic plans are not eligible under any circumstances – a BAA cannot be executed on a free account, which means any PHI shared on a free plan is a violation.

Is a signed BAA enough to make Zoom HIPAA compliant?

No. The BAA is a required first step, but it is not sufficient on its own. Your organization also needs to configure the platform’s security settings correctly, put written telehealth policies in place, train your staff, and complete a risk assessment that includes Zoom as a covered system. All four components need to be in place.

Can HIPAA violations still happen when using Zoom?

Yes, they can. Even with the right plan and a signed BAA, violations can occur through misconfigured settings, improperly stored recordings, PHI shared in the chat window, failure to verify patient identity before a session begins, or staff behavior that does not follow the minimum necessary standard.

Are Zoom transcriptions HIPAA compliant?

Zoom for Healthcare supports transcriptions, but any transcript containing PHI must be stored in a HIPAA-compliant location with appropriate access controls. Auto-saving to local devices or non-compliant cloud storage is a risk. If your organization does not have a compliant storage workflow in place, disable transcription features until it does.

What has Zoom done to ensure HIPAA compliance?

Zoom has taken several meaningful steps. It offers BAAs for qualifying plans, provides AES-256 encryption for all session data, includes audit controls and waiting rooms, integrates with the EHR platforms, including Epic, and has published a HIPAA Compliance Guide. Zoom also confirms through third-party review that its platform meets the requirements of the HIPAA Security Rule.

How can healthcare organizations keep their use of Zoom HIPAA-compliant over time?

Healthcare organizations should keep Zoom settings secure, maintain a signed Business Associate Agreement (BAA), and train staff on proper handling of PHI. Regular risk reviews and tools like ComplyAssistant can help track policies, safeguards, and audit documentation.