Zoom HIPAA Compliance: What You Need to Know

As more health care providers open virtual consultations on Zoom, questions surrounding Zoom HIPAA compliance have increased. Many legal professionals are struggling to clarify: What makes HIPAA-compliant videoconferencing? And if telehealth is here to stay, how can we ensure our medical information is private and secure as it expands to more “every day” technologies like Zoom? Here, I attempt to answer these questions as I break down how Zoom HIPAA compliance is being validated in our increasingly virtual world.

How has Zoom HIPAA compliance changed amid the pandemic?

Before the pandemic touched down in the U.S., telehealth presence existed but remained low due to a lack of equal coverage across insurers and states. When the country went into a state of emergency, however, federal and state bodies adjusted policies around telehealth to make it more widely available. One of these adjustments was made by the Department of Health & Human Services (HHS), which waived penalties associated with HIPAA violations for health care providers that serve patients in good faith through “everyday non-public facing communications technologies.” This meant that a doctor could now treat patients via Skype, Facetime, Google Hangouts, Facebook Video Messenger or Zoom, without fear of expensive fines and penalties.

The problem? The risk of protected health information (PHI) being accessed or shared among third-party applications became very real, very fast. Although the HHS encouraged providers to enable all encryption and privacy settings, there was no way to enforce this. The next best thing the HHS did was list HIPAA-compliant video communication products that also offer a business associate agreement (BAA) to ensure patient data is safeguarded. Although the HSS does not “endorse, certify or recommend” any of the technology vendors on this list, Zoom for Healthcare was considered HIPAA compliant under these new conditions.

What is Zoom for Healthcare?

Zoom for Healthcare is Zoom’s video conferencing solution for telehealth. Through high-quality video, audio, screen sharing, co-annotation and integrations with EEHR and other medical devices, physicians can connect with their patients in a seamless, intraoperative way. Zoom for Healthcare is also the only solution on the market that allows multiple members on the call in a HIPAA-compliant setting, making it an alluring choice for teams who have collaborative workflows, require ongoing training of their staff or need to meet with patients’ family members. When it comes to Zoom HIPAA compliance, Zoom for Healthcare is the only solution that falls within requirements.

How is Zoom for Healthcare HIPAA compliant?

You might be wondering, how is Zoom HIPAA compliance valid if the HSS doesn’t certify it? According to the HSS and the Office of the National Coordinator for Health and Technology, Zoom is part of a category that falls outside of their jurisdiction. As of right now, these groups don’t certify “software or off-the-shelf products” nor accredit independent agencies to do HIPAA certifications. Additionally, they state that the HITECH Act only provides for testing and certification of electronic health records (EHR) programs and modules. So, for what it’s worth, they don’t give new technologies much of a chance to be assessed for certification.

Even though it doesn’t have an official stamp of approval, Zoom for Healthcare meets general H IPAA security standards and offers a BAA option. Additionally, the security behind Zoom for Healthcare was architected so that Zoom does not have access to PHI, even though it transmits it. This model, also known as the “conduit exception,” is what makes Zoom HIPAA compliance a reality. Zoom turns on mandatory settings to all health care accounts, which they claim “nearly eliminates their ability to transmit PHI to Zoom” and protects all video, chat and screen-sharing data in transit and at rest through industry-standard advanced encryption standards (AES). For more specifics on Zoom’s security and privacy features, head here, but for more on Zoom HIPAA compliance, keep reading.

Can you save recorded sessions without breaking Zoom HIPAA compliance?

Yes — recorded Zoom meetings can be saved for review without breaking HIPAA requirements. Zoom enables health care accounts to save all clinical recordings locally under the HIPAA BAA agreement and anything nonclinical in Zoom’s cloud. Whether you want to retrieve Zoom meeting recordings or access transcripts on those Zoom meetings, account admins can be sure their data is safe with Zoom’s storage and security features. However, if you find yourself recording a lot or almost all of your Zoom meetings, you may want to implement a Zoom e-discovery solution to find the data you need when you need it. Especially if a patient or ex-colleague wants their data deleted from your database in the future, it’s in your best interest to have a solution that can find it quickly and show proof of its deletion.

The Future of Telehealth

Will HIPAA-compliant videoconferencing be the same tomorrow as it is today? Will Zoom HIPAA compliance last or be subject to change? Although the answers to these questions remain unknown, what we do know is that telehealth has proved paramount to our safety during the pandemic, and the benefit of personalized remote care is something many don’t want to let go of.

Ensuring that people’s PHI is secure, private and discoverable should be the priority of health care providers as they embark on these new options. Although Zoom HIPAA compliance is the subject called into question here, all videoconferencing platforms have a lot to think about as virtual medical visits gain popularity. By working with vendors like Zoom to implement stronger security, privacy and e-discovery solutions, physicians and patients alike can feel better knowing their data is safe and controlled in our virtual world.