Zoom has been a huge success story in recent years, becoming one of the fastest-growing applications. However, the video communication tool has actually been around since 2011 but only recently has its popularity exploded. As more health organizations switch to video conference, many are left asking if Zoom is HIPAA compliant.
Compliance with the Health Insurance Portability and Accountability Act (HIPAA) is a fundamental requirement for organizations in the healthcare industry. As a core protection for patient privacy, companies must ensure the apps and services they use follow the regulations.
So, what does that mean for Zoom? Is it a HIPAA compliant app?
In this article, I’ll explain exactly what you need to know about how to use Zoom in adherence with HIPAA regulations.
Is Zoom HIPAA Compliant? (answered)
The good news is that Zoom is HIPAA compliant. In fact, the company has done more than most of its competitors to follow the law after its popularity exploded in early 2020. To deliver HIPAA compliance to users, Zoom has signed a BAA, or Business Associate Agreement. The bad news is that in order to be compliant with Zoom, customers will have to pay for it by signing up for the Zoom for Healthcare plan. This is a fee that some of Zoom’s competitors do not charge.
I’ll explain all of this in detail in the article ahead, including what you can expect to pay for Zoom with a BAA.
What Is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law in the United States that protects patients from health companies disclosing their information and health data.
Under the rules of HIPAA, organizations in the health industry must get permission from patients before they share their information.
It is a very important part of privacy within the health care industry and is used by organizations, apps, and services. A business that does not comply with HIPAA is basically waving a red flag that user data is at risk and privacy is not a priority to the organization.
In the current climate of large-scale cyber attacks and consumer privacy concerns, being compliant with standards like HIPAA is essential for organizations in the health industry.
What Is Zoom?
For those living under a rock for the last year, Zoom is a video conference and communication tool that allows users to connect with other people both inside and outside of their organization. It can be used for meetings, one-on-one chats, presentations, and other video-based communication.
One of the most interesting things about Zoom is how the app became the most popular video chat tool on the market.
Zoom was founded in 2011 and spent much of the next nine years as a niche product that only some organizations used. In fact, up until February of 2020, the app only had 10 million active users. While 10 million is a lot of people, it was just a small part of the available market.
COVID-19 Fuels a Zoom Goldrush
That changed when COVID-19 swept across the globe and was declared a pandemic in early 2020. With individuals having to stay at home and comunicate with their colleagues remotely, companies across the US and around the world were forced to immediately move to a distributed workforce.
As a result, businesses needed tools to support them during that change, and they needed them fast.
All video and chat apps thrived, such as Microsoft Teams, Slack, and Google Meet (which can also be HIPAA compliant). However, it was Zoom that saw the most significant growth. In just two months, the app went from 10 million users to 300 million users, rocketing past Google Meet and Microsoft Teams.
In the wake of this astronomical growth, Zoom’s position as a major tech company has been cemented.
Early Missteps & Privacy Concerns with Zoom
But with that explosion of popularity, came an explosion of privacy concerns. Zoom-bombing and a number of other security scandals rocked the young company, and in the wake of all of those reports it makes sense that health organizations using Zoom were asked repeatedly about HIPAA compliance.
In spite of early missteps, Zoom’s popularity means it is becoming the video conferencing tool of choice for many healthcare companies across the industry.
Information security is important to patients. HIPAA compliance is a way to show that companies are operating in good faith.
What is a BAA?
Major companies that want their apps and services to be compliant with HIPAA must sign what’s known as a Business Associate Agreement (BAA). Companies like Zoom become referred to as “business associates”. This means that they represent services that manage protected health information (PHI).
These business associates, such as Zoom, must sign the BAA to be able to deliver HIPAA compliance to users. The agreement essentially shows the service is willing to comply with regulations and standards under HIPAA. Here’s an example of a BAA contract provided by HHS.gov.
Without signing the BAA with Zoom, an organization will not be compliant with HIPAA, even if they are using the Zoom app.
Is Zoom HIPAA Compliant?
As I stated earlier – yes, Zoom is HIPAA compliant and can be used by healthcare organizations securely. Some companies, such as Google, require users to manually sign the BAA on their account to make themselves compliant. That extra step means the account is not compliant until the user makes the change.
Zoom operates in a similar way. The company requires account holders to enter into a BAA with them. However, while Google allows Meet users to sign a BAA for free, Zoom charges its users for the Zoom for Healthcare plan.
This includes several health-focused benefits, including HIPAA compliance through the signing of a BAA. However, this plan costs $2,400.
Under the HIPAA BAA agreement, Zoom will do the following:
- Disable cloud recordings
- Remove device and user information from logging and reporting
- Encrypt all chats by default
Is Zoom for Healthcare Worth It?
While the cost of Zoom for Healthcare might seem a bit steep, the company will follow HIPAA regulations. Importantly, this has been happening since long before the company’s explosion in popularity.
In April 2017, the company debuted the first ever telehealth service called Zoom for Telehealth. This service gives organizations the ability to communicate with other companies and patients while remaining HIPAA compliant. This is possible through secure communications using AES-256-bit encryption and authentication methods.
The Importance of Training & Following Best Practices
When discussing HIPAA compliance, it is worth noting that technical compliance from the app you’re using is only half the battle. It is still possible to violate the rules.
Training employees to understand HIPAA standards and adhere to them is an important step towards becoming and staying compliant.
Final Thoughts about Zoom as a HIPAA Compliant Tool
Zoom is compliant with HIPAA regulations through a BAA between the user (organization) and Zoom, and though it costs extra, many healthcare businesses will find that it’s worth the cost.
It is important to sign the BAA, otherwise compliance will not be in place even if you are using Zoom.