Is Zoom HIPAA Compliant for Telemedicine and Healthcare

Author

Reads 1.2K

A woman wearing a face mask engages in a video call on her smartphone indoors.
Credit: pexels.com, A woman wearing a face mask engages in a video call on her smartphone indoors.

Zoom's HIPAA compliance is a crucial aspect for telemedicine and healthcare providers. Zoom has taken steps to ensure its platform meets the required standards.

Zoom's Business and Enterprise plans include HIPAA compliance features, which are not available on the Basic plan. This means that only users with a Business or Enterprise account can use Zoom for HIPAA-compliant telemedicine.

Zoom's HIPAA compliance is based on the BAA (Business Associate Agreement), which is a contract between Zoom and healthcare providers. This agreement outlines Zoom's responsibilities for protecting sensitive patient data.

However, Zoom's compliance is not foolproof, and users must take additional steps to ensure their own HIPAA compliance.

See what others are reading: Kyc Steps

Tufts Service and Login

To use the Tufts HIPAA Zoom service, you must first be granted a special Tufts HIPAA Zoom license, which is different from your regular Tufts Zoom license. You can then schedule HIPAA-compliant Zoom meetings through a dedicated Tufts HIPAA Zoom website.

Access to the Tufts HIPAA Zoom service is available to members of specific groups, including Tufts University School of Medicine, Tufts University School of Dental Medicine, and Tufts Health Sciences Institutional Review Board (HS IRB).

Sleek conference room with a table, chairs, TV, and video conferencing equipment.
Credit: pexels.com, Sleek conference room with a table, chairs, TV, and video conferencing equipment.

The Tufts HIPAA Zoom service is accessed in a different way than the regular ("academic") version of Zoom. You will still have access to the regular Zoom, which can be used for meetings that do not require HIPAA compliance.

To obtain a Tufts HIPAA Zoom license, you need to log in to the Tufts HIPAA website. You will be granted a license when you log in for the first time.

To log in to your Tufts HIPAA Zoom account in the desktop client, you'll need to follow a specific process. Here's a step-by-step guide:

  1. Open the Zoom desktop application.
  2. Click Sign In.
  3. Select SSO.
  4. When prompted for your company domain, enter “tufts-hipaa” so the entire domain reads “tufts-hipaa.zoom.us”. Then, click Continue.
  5. A new page will open in your browser with a Tufts login window. Log in with your Tufts username and password. You may also have to complete DUO two-factor authentication.
  6. A popup message will appear. Click Open zoom.us to launch the Zoom Workplace desktop application.

Platform Changes and Security

Zoom for Healthcare offers a HIPAA-compliant platform, but it's essential to note that it's best used as a communication tool within a fully developed telehealth platform. This includes features like patient access to electronic health records (EHR) and automated patient scheduling.

To ensure HIPAA compliance, Zoom contains authentication measures, such as two-factor authentication, and access control measures, which regulate who can view or use resources in a computing environment.

Credit: youtube.com, Is Zoom HIPAA Compliant?

Zoom also uses end-to-end encryption to secure all communications, which is a must for HIPAA compliance. This means that only the sender and recipient of an electronic message can read the content of that message.

Upon signing a Business Associate Agreement (BAA) with Zoom, the following security measures are enacted on a Zoom account:

  • Cloud Recording will be disabled.
  • Encrypted chat will be enabled.
  • The setting “Require Encryption for 3rd Party Endpoints (H323/SIP)” will be enabled for all members of an account.
  • Text messages will be encrypted.
  • Offline messages will only be available after all parties initiate a cryptographic key exchange.

It's worth noting that while Zoom for Healthcare is HIPAA compliant, there are still potential security threats to be aware of, such as malicious files being shared with the name "Zoom" in the title.

The Security Rule

The Security Rule is a crucial aspect of HIPAA compliance, and it's essential to understand what it entails. Zoom, a popular video conferencing platform, meets the required Security Rule measures to ensure the confidentiality, integrity, and availability of ePHI.

To be HIPAA compliant, a video conferencing application like Zoom must offer administrative, technical, and physical safeguards. These safeguards include authentication measures, access control measures, and end-to-end encryption.

Recommended read: 60 Day Rule

Woman in Gray Blazer Having a Video Conferencing
Credit: pexels.com, Woman in Gray Blazer Having a Video Conferencing

Zoom contains authentication measures, such as two-factor authentication, to verify the identity of users. It also has access control measures in place, regulating who can view or use resources in the computing environment. These measures ensure that only authorized personnel have access to ePHI.

Zoom uses end-to-end encryption to secure all communications, converting data into a format decipherable only by the intended recipient. This encryption is enabled by default for all members of an account.

Here are the specific Security Rule measures that Zoom meets:

  • Authentication measures: Zoom provides two-factor authentication to verify user identity.
  • Access control measures: Zoom regulates who can view or use resources in the computing environment.
  • End-to-end encryption: Zoom converts data into a format decipherable only by the intended recipient.

By meeting these Security Rule measures, Zoom can be considered HIPAA compliant, but it's essential to note that additional security measures may still be necessary to ensure the confidentiality, integrity, and availability of ePHI.

Platform Changes During the Pandemic

The COVID-19 pandemic brought about significant changes to telehealth platforms, leaving healthcare professionals with questions about what was allowed.

In early 2020, the US Department of Health and Human Services modified HIPAA's Privacy Rule to allow non-HIPAA compliant video conferencing methods for telehealth visits.

Credit: youtube.com, FIRESIDE CHAT: The importance of platform reliability & security in a pandemic

Healthcare organizations saw a 535% increase in traffic on video conferencing apps like Zoom in 2020, making it a popular choice for teleconferencing.

However, it's essential to note that this was under the emergency provisions, and Zoom is not a HIPAA-compliant telemedicine platform.

The Office for Civil Rights confirmed in 2022 that healthcare professionals could use non-HIPAA compliant video conferencing services during the public health emergency.

The Consolidated Appropriations Act of 2023 extended many telehealth flexibilities, including the use of non-HIPAA compliant platforms, through December 31, 2024.

This extension means that Zoom, among other video conferencing platforms, was temporarily allowed as a government-approved telehealth platform.

A unique perspective: Pci Dss Non Compliance Fee

Telemedicine

Zoom for Healthcare is a HIPAA-compliant telemedicine platform that incorporates access and authentication controls secured with end-to-end encryption. Zoom has also signed a HIPAA Business Associate Agreement (BAA).

However, Zoom's free version is not HIPAA-compliant, and it has faced security concerns, including a lack of end-to-end encryption for free users and the appearance of Zoom account credentials for sale on the dark web.

A unique perspective: Pci Dss Training Online Free

Close-up of a professional camera with zoom lens on a tripod in an urban street setting.
Credit: pexels.com, Close-up of a professional camera with zoom lens on a tripod in an urban street setting.

Zoom for Healthcare has recently increased its efforts to ensure HIPAA compliance, now enabling full end-to-end encryption of calls. This means that providers who desire a fully HIPAA-compliant virtual care platform can opt to integrate Zoom for Healthcare into their existing digital suite with greater peace of mind about the safety and security of their patient's clinical data.

Zoom is not a HIPAA-compliant telemedicine platform in the long term, but it is temporarily among the approved telehealth platforms allowed in the United States due to relaxed regulations during the COVID-19 pandemic.

Healthcare professionals can use Zoom for telehealth visits, but this is only allowed under the good faith provision of telehealth solutions during the COVID-19 public health emergency, which is set to expire on December 31, 2024.

Healthcare organizations are scrambling to find a secure and reliable HIPAA-compliant virtual care platform before the deadline, and they've been navigating mixed messages around whether certain types of telehealth software, including major brands like Zoom, are actually HIPAA-compliant.

Bridge's telehealth solution is a fully HIPAA-compliant part of the BridgeInteract platform, which streamlines provider workflows and offers a seamless patient experience across the online care journey through a HIPAA-compliant patient portal.

Shared Compliance Responsibility

Professional video call between colleagues in an office setting, fostering connection and collaboration.
Credit: pexels.com, Professional video call between colleagues in an office setting, fostering connection and collaboration.

Compliance is a shared responsibility between your telehealth platform and your organization. This means that simply using Zoom for Healthcare doesn't automatically make your organization HIPAA compliant.

Using the correct version of the software is certainly important, but your healthcare practice needs to understand that it is also on your staff to ensure HIPAA compliance. Your organization must be diligent in internally verifying that you have protocols in place to protect ePHI and can continue to do so.

Additional steps and considerations are necessary to ensure ePHI security and compliance, including the use of end-to-end encryption available for Zoom's Meetings and Video Webinars, not for the plans Phone or Chat options.

To ensure HIPAA compliance, your organization needs to take extra precautions, such as implementing end-to-end encryption, using strong passwords, and controlling access to video conferences. This is especially true when sharing highly sensitive data, such as detailed medical records or personal identifiers.

Here are some key responsibilities for your organization to ensure HIPAA compliance:

  • Verify that you have protocols in place to protect ePHI
  • Implement end-to-end encryption for sensitive data
  • Use strong passwords and control access to video conferences
  • Stay updated on Zoom's latest security features and best practices

Frequently Asked Questions

How to enable HIPAA on Zoom?

To enable HIPAA compliance on Zoom, select Healthcare in the Plans & Pricing dropdown menu and follow the prompts to agree to the relevant business agreement. This will enable HIPAA-compliant features on your Zoom account.

Is Zoom no longer HIPAA compliant?

No, Zoom for Healthcare remains HIPAA compliant, but users must still follow guidelines to ensure compliance. Consult our guide to learn more about Zoom's HIPAA compliance and what to look for in a telehealth platform.

Helen Stokes

Assigning Editor

Helen Stokes is a seasoned Assigning Editor with a passion for storytelling and a keen eye for detail. With a background in journalism, she has honed her skills in researching and assigning articles on a wide range of topics. Her expertise lies in the realm of numismatics, with a particular focus on commemorative coins and Canadian currency.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.