Is Zoom HIPAA Compliant?

The short answer is yes — but only if you have the right plan, a signed BAA, and the correct settings. Here's everything your practice needs to use Zoom for telehealth without risking a violation.

Yes — but only with Zoom for Healthcare

Standard Zoom (free, Pro, or Business) is not HIPAA compliant. You need the Zoom for Healthcare plan, a signed Business Associate Agreement (BAA), and specific settings configured correctly.

Zoom for Healthcare + BAA

HIPAA-eligible

Free / Pro / Business

Not HIPAA compliant

What Makes Zoom HIPAA Compliant

HIPAA doesn't certify software. Instead, compliance depends on three things working together: the vendor's technical safeguards, a Business Associate Agreement, and your organization's administrative controls.

1

Healthcare Plan

Zoom for Healthcare is a paid add-on with HIPAA-eligible features. Standard free, Pro, and Business plans do not qualify.

2

Signed BAA

Zoom must sign a Business Associate Agreement committing to HIPAA safeguards, breach notification, and PHI handling limits.

3

Your Configuration

You are responsible for configuring security settings, training staff, and documenting Zoom in your risk assessment.

“Zoom provides the technical safeguards. Your practice provides the administrative and physical safeguards. The BAA binds them together.”

45 CFR §164.502(e) — Covered entities must obtain satisfactory assurances (via a BAA) that business associates will safeguard PHI. Who qualifies as a business associate?

What Zoom Does — and Doesn't — Encrypt

Encryption alone doesn't equal HIPAA compliance, but it's a critical technical safeguard. Here's what the Zoom for Healthcare plan actually protects.

Encrypted & Covered Under BAA

  • Meeting audio and video

    AES-256 GCM in transit and at rest

  • Screen sharing content

    AES-256 GCM encryption applied

  • Chat messages in-meeting

    Encrypted during the session

  • Cloud recordings (Healthcare plan)

    AES-256 GCM at rest, TLS 1.2+ in transit

  • Zoom Phone (voice)

    SRTP with AES-256 encryption

Not Covered or At Risk

  • Free/Pro meeting metadata

    Participant names, join/leave times, IP addresses

  • Cloud recordings on non-Healthcare plans

    No BAA coverage, not compliant

  • Third-party app integrations

    Data shared with apps outside Zoom's BAA scope

  • Zoom chat (persistent/channels)

    Not covered under standard BAA

End-to-end encryption (E2EE) is optional

Zoom offers opt-in E2EE for meetings, but enabling it disables cloud recording, live transcription, and breakout rooms. Most healthcare practices use the default AES-256 encryption (which is HIPAA-sufficient) and keep cloud recording turned off separately.

HIPAA-Compliant Zoom Settings Checklist

Having the right plan and BAA isn't enough. These eight settings must be configured in your risk assessment and enforced across all users.

01

Require meeting passcodes

Settings → Security → Passcode

Toggle ON for all meeting types

Prevents unauthorized access to telehealth sessions

02

Enable waiting room

Settings → Security → Waiting Room

Toggle ON (set to All Participants)

Host must manually admit each patient — prevents wrong-person exposure

03

Disable 'Join before host'

Settings → Meeting → Join Before Host

Toggle OFF

Prevents patients from being in an unmonitored session

04

Disable cloud recording

Settings → Recording → Cloud Recording

Toggle OFF (or restrict to host-only with encryption)

Cloud recordings create stored PHI — only enable if your BAA explicitly covers it

05

Set local recording to host-only

Settings → Recording → Local Recording

Toggle ON, restrict to host only

Ensures patients can't record sessions without provider knowledge

06

Disable file transfer in chat

Settings → Meeting → In-Meeting Chat → File Transfer

Toggle OFF

Prevents PHI from being shared through unsecured chat file transfers

07

Lock meetings after start

Manual — Security icon during meeting

Click Security → Lock Meeting once all participants join

Prevents late joiners from entering without host re-admission

08

Restrict screen sharing to host

Settings → Meeting → Screen Sharing

Set to Host Only

Prevents accidental PHI exposure from participant screen shares

Admin-level enforcement is critical

Configure these settings at the account level (not just per-user) so individual clinicians can't override them. Use Zoom's Group Management to lock settings for all healthcare users. Document your configuration in your HIPAA compliance checklist.

How to Get a BAA from Zoom

A Business Associate Agreement is legally required before any vendor handles PHI on your behalf. Without a signed BAA, using Zoom for telehealth is a HIPAA violation — regardless of how secure your settings are.

01

Purchase Zoom for Healthcare

Contact Zoom sales or upgrade through your admin portal. The Healthcare plan includes HIPAA-eligible features and access to the BAA. Pricing is not publicly listed — expect $15-25/user/month depending on volume.

02

Request the BAA from Zoom

Navigate to the Zoom Admin Portal → Account Management → Account Profile. Healthcare accounts will see an option to review and accept the BAA. Zoom uses a standard (non-negotiable) BAA template.

03

Review BAA terms carefully

Zoom's BAA defines which services are covered (Meetings, Phone, Cloud Recordings on Healthcare plan), breach notification timelines (typically 60 days), and permitted uses of PHI. Compare against your own BAA template requirements.

04

Execute and store the signed BAA

Accept the BAA electronically through the admin portal. Download a signed copy and store it with your other BAAs. Per HIPAA, you must retain BAAs for 6 years from the date of last effectiveness.

05

Configure HIPAA-compliant settings

After executing the BAA, configure all required security settings (see checklist above). Lock settings at the account level so individual users cannot override them.

06

Document in your risk assessment

Add Zoom to your HIPAA risk assessment as a system that processes ePHI. Document the safeguards in place, who has access, and your contingency plan if Zoom experiences a breach.

Generate a BAA templateRun a risk assessment

5 Mistakes That Make Zoom Non-Compliant

Most HIPAA violations on Zoom aren't caused by Zoom itself — they're caused by how practices use it. These are the most common failures we see in risk assessments.

Using free Zoom for telehealth

No BAA available, no HIPAA coverage. Any PHI discussed is an immediate violation.

Fix: Upgrade to Zoom for Healthcare before your first patient session.

Signing a BAA but skipping settings

A BAA doesn't auto-configure security. Cloud recordings, open chat, and join-before-host can leak PHI.

Fix: Follow the settings checklist above and lock at admin level.

Recording sessions to the cloud without review

Cloud recordings create stored ePHI. If the recording isn't encrypted or access-controlled, it's a breach risk.

Fix: Disable cloud recording or ensure it's host-only, encrypted, and documented in your risk assessment.

Sharing meeting links via non-compliant channels

Sending a Zoom link and passcode via regular SMS or personal email exposes session access to interception.

Fix: Use a HIPAA-compliant messaging or email platform to share links. See our comparison of compliant messaging apps.

Not training staff on Zoom telehealth procedures

Clinicians may use personal Zoom accounts, share screens with PHI visible, or forget waiting rooms.

Fix: Include Zoom-specific procedures in your HIPAA training program.

Need to train your team? HIPAA training requirements covers what every staff member must know, and our HIPAA training quiz verifies retention.

Zoom Alternatives for HIPAA Communication

Zoom for Healthcare handles video, but practices also need compliant messaging and email. Some platforms offer all three in one. Here are the categories to evaluate.

Video Conferencing

Doxy.me, Google Meet (with Workspace BAA), Microsoft Teams

Compare HIPAA video platforms

Secure Messaging

TigerConnect, OhMD, Klara, Spruce Health

Compare HIPAA messaging apps

Email

Paubox, Virtru, Hushmail for Healthcare

Compare HIPAA email services

Related Questions

Is WhatsApp HIPAA compliant? →Is Microsoft Teams HIPAA compliant? →Is Gmail HIPAA compliant? →

Quick Reference: Zoom HIPAA Compliance

Plan required

Zoom for Healthcare (paid) — free/Pro/Business plans are not HIPAA eligible

BAA required

Sign through Admin Portal → Account Management. Retain for 6 years.

8 settings to configure

Passcodes, waiting room, disable join-before-host, disable cloud recording, host-only local recording, disable file transfer, lock meetings, host-only screen share

Staff training required

Clinicians and admin staff must know Zoom-specific HIPAA procedures before first patient session

Run full compliance checklistGenerate BAA templateCompare video platforms

Related Tools & Guides

Best HIPAA Video Conferencing

Side-by-side comparison of Zoom, Doxy.me, Teams, and other platforms.

Best HIPAA Compliant Messaging

Secure messaging platforms for patient communication.

BAA Template Generator

Generate a customized Business Associate Agreement in minutes.

HIPAA Compliance Checklist

Step-by-step checklist for Privacy, Security, and Breach rules.

Is Microsoft Teams HIPAA Compliant?

Teams compliance requirements, BAA, and configuration guide.