Zoom Video Conferencing and HIPAA Compliance

Over 750,000 businesses are now using Zoom for online video and web conferencing. However, before implementing use of the service it is vital to consider  if it adheres to HIPAA Rules for appropriate use by healthcare groups in relation to sharing PHI.

A cloud-based video and web conferencing platform, Zoom allows employees across multiple locations to participate in meetings, share files, and collaborate. The web tool supports webinars and incorporates a business IM service.

Zoom has already been implemented by many healthcare groups worldwide who use the platform to interact with other providers and communicate with patients. However, in the USA, healthcare groups must adhere with HIPAA Regulations when sharing confidential patient data.

Any software solution must include a range of security protections to ensure protected health information (PHI) is completely safeguarded. Additionally, cloud-based platform providers are defined as a business associates and are also required to adhere with HIPAA Rules if their services are to be used in tandem with PHI.

Zoom fulfills this criteria according to a document released by the company in 2017 (PDF). However, although the technology is HIPAA-compliant, how it is used can result in breaches of HIPAA if “Meeting Hosts” fail to implement the necessary controls at user level.

Zoom, as a business associate, would need to complete a contract with a HIPAA covered body before its service can be used with ePHI. That agreement – a Business Associate Agreement – acts as a confirmation that Zoom is aware of its obligations in relation to the privacy and security of PHI.

Zoom is willing to complete a business associate agreement with healthcare groups and has ensured that its platform includes all of the required security controls to meet the strict requirements of HIPAA.

In April 2017 Zoom revealed that it had introduced the first scalable cloud-based telehealth service for the healthcare sector. Zoom for Telehealth allows enterprises and providers to communicate simply with other group, care teams, and patients in a HIPAA compliant fashion.

The service includes access and authentication measure, all communications are safeguarded with end-to-end AES-256 bit encryption, and the platform integrates with the Epic electronic health record network to support healthcare workflows.

Zoom has also revealed it has partnered with a global telehealth integrator and that its infrastructure has been further enhanced to support full enterprise healthcare processes.

Zoom can be deemed a HIPAA compliant web and video conferencing service that is appropriate for use in healthcare, provided a HIPAA-covered body completes a business associate agreement with Zoom prior to using the service.

HIPAA Rules can still be violated using the service so users must be conscious of their duties in relation to patient privacy, and must only share or transmit PHI with people authorized to receive the data. It is the duty of the covered body to ensure Zoom is used properly and in line with HIPAA Regulations.