How many applications join your telehealth calls? Not Zoom itself. The third-party tools your clinicians installed without IT approval. The AI transcription service that auto-joins every meeting. The recording bot saving calls to a personal Google Drive. The browser extension capturing closed captions and sending them to an analytics dashboard. Each application accessing the call processes PHI. Each requires its own Business Associate Agreement.
KLAS Research found 41% of healthcare organizations using video conferencing platforms had unauthorized third-party applications accessing clinical sessions [KLAS Research 2025]. The platform met HIPAA requirements. The ecosystem surrounding it did not. Zoom provides the BAA, the encryption, and the compliance documentation. The compliance gap lives in the integrations your staff adopted without procurement review.
Zoom is HIPAA compliant on paid plans (Pro, Business, Enterprise, Healthcare) after executing a BAA. The free Basic plan does not qualify. The distinction between “Zoom is compliant” and “your Zoom deployment is compliant” depends on third-party app restrictions, cloud storage encryption, and retention policies most organizations never configure.
Zoom is HIPAA compliant on paid plans (Pro, Business, Enterprise, Healthcare) after executing a Business Associate Agreement (BAA), yet 41% of healthcare organizations using video conferencing had unauthorized third-party applications accessing clinical sessions [KLAS Research 2025]. The free Basic plan does not qualify because Zoom does not offer a BAA for free accounts. Compliance depends on configuration: signed BAA, restricted third-party apps, encrypted cloud storage, and documented retention policies.
Plan Selection and BAA Requirements
Zoom offers four plan tiers ranging from free to $200+/month per provider [Zoom Healthcare 2026]. Three qualify for HIPAA compliance. One does not.
The Basic (free) plan excludes HIPAA compliance [Zoom Trust Center 2026]. Zoom does not sign a BAA for free accounts and reserves the right to use meeting data for service improvement. Healthcare organizations using the free tier violate HIPAA transmission security requirements [164.312(e)(1)].
The Pro plan ($15.99/month per license) qualifies for HIPAA compliance after the account administrator signs the BAA through the Zoom web portal. The plan includes encrypted meetings, cloud recording controls, and administrative settings required for access control [164.312(a)(1)]. Solo practitioners and small clinics operating under 100 users meet compliance requirements on this tier.
Zoom for Healthcare vs. Standard Plans
The Zoom for Healthcare plan adds EHR integrations (Epic, Cerner, athenahealth), HITRUST certification support, and priority compliance support. Pricing starts at $200/month per provider [Zoom Healthcare 2026]. The plan targets hospital systems and large clinic networks requiring direct EHR workflows.
Most private practices and small healthcare organizations achieve full HIPAA compliance on the Pro or Business tier. The Healthcare plan delivers value when your workflow depends on EHR-embedded video visits or you require HITRUST alignment for payer contracts.
| Plan Tier | BAA Available | Primary Use Case |
|---|---|---|
| Basic (Free) | No | Non-compliant for ePHI |
| Pro ($15.99/mo) | Yes | Solo practitioners, small clinics |
| Business | Yes | Multi-provider practices (10-100 users) |
| Healthcare ($200+/mo) | Yes | Hospital systems, EHR integration required |
BAA Execution Process
Purchase a paid Zoom license. Log into the Zoom web portal as the account administrator. Navigate to Account Management > Account Profile > HIPAA Compliance. Review the BAA document. Sign electronically. Compliance activates within 24 hours of signature [Zoom Support KB0060053].
The BAA does not apply retroactively. Meetings conducted before BAA execution remain outside HIPAA coverage. Schedule the BAA signature before the first telehealth session.
Download the signed BAA from the Zoom portal immediately after execution. Save the PDF to your compliance documentation repository. Tag the file with the signature date and store it with your vendor management records. Auditors request BAA evidence during desktop reviews and SOC 2 fieldwork. Missing BAA documentation triggers findings under business associate controls [164.308(b)(1)].
How Do Third-Party Zoom Apps Create HIPAA Violations?
Zoom supports 1,800+ third-party SaaS applications through the Zoom App Marketplace, and 41% of healthcare organizations had unauthorized apps accessing clinical sessions [KLAS Research 2025]. Applications install directly into meetings: AI transcription services (Otter.ai, Fireflies.ai, Fathom), project management integrations (Asana, Monday), and CRM connectors (Salesforce, HubSpot).
Each application joining a Zoom meeting gains access to meeting audio, video, participant names, and chat transcripts. The Zoom BAA does not extend to third-party applications unless the application vendor separately signs a BAA with your organization [164.308(b)(1)].
Shadow AI Notetakers
AI transcription tools represent the most common third-party HIPAA violation in telehealth environments. A provider installs Otter.ai to automate session notes. The tool joins every Zoom meeting automatically. It records audio, transcribes the conversation, and stores the transcript on Otter’s servers.
Otter.ai does not sign a BAA with Zoom users on standard plans [Otter Privacy Policy 2026]. The provider transmits ePHI to a non-compliant business associate. This violates transmission security [164.312(e)(1)] and business associate requirements [164.308(b)(1)].
The same pattern applies to Fireflies.ai, Fathom, Grain, and most AI meeting assistants. These tools optimize for productivity. They do not optimize for HIPAA compliance.
Marketplace Restriction Controls
Zoom administrators control third-party app installation through account-level settings. Navigate to Advanced > Zoom Apps in the admin portal. Disable the “Allow users to install apps from the Zoom App Marketplace” toggle. This forces users to request administrative approval before adding any application.
Create an approved application whitelist. Limit the list to applications with executed BAAs or applications that operate entirely outside the meeting environment (calendar integrations, scheduling tools). Document the approval criteria and the BAA review process. Store this documentation with your HIPAA policies.
Audit your current Zoom account for installed third-party apps. Navigate to Account Management > Zoom Apps. Export the list of enabled applications. Review each application against your BAA inventory. Disable any application without a signed BAA. Communicate the policy change to all users before enforcement. Provide a list of approved applications with documented BAA coverage.
Cloud Recording Storage and Retention
Zoom offers two recording methods, and cloud recordings use AES 256-bit encryption at rest under BAA coverage [Zoom Security Whitepaper 2026]. Both local and cloud recordings create HIPAA-regulated records. The storage location determines the compliance controls required.
Local Recording Compliance
Local recordings save to the meeting host’s computer as MP4 or M4A files. The host controls encryption, access, and deletion. The recording becomes part of your organization’s ePHI inventory. Apply the same controls required for any other ePHI storage: encryption at rest [164.312(a)(2)(iv)], access controls [164.312(a)(1)], and audit logging [164.312(b)].
Store local recordings on encrypted drives. Restrict file access to workforce members with documented need-to-know. Implement retention schedules aligned with your organization’s record retention policy. Delete recordings according to schedule. Document the deletion date and method.
Cloud Recording Compliance
Cloud recordings store on Zoom’s infrastructure. Zoom encrypts recordings at rest using AES 256-bit encryption [Zoom Security Whitepaper 2026]. The BAA covers cloud storage. Zoom acts as a business associate for stored recordings.
The compliance risk appears in retention policy enforcement. Zoom retains cloud recordings indefinitely until the account administrator deletes them. Organizations without automated deletion policies accumulate years of telehealth recordings. Each recording represents ongoing breach risk and storage cost.
Configure automatic deletion through the Zoom admin portal. Navigate to Account Management > Account Settings > Recording > Cloud Recording. Enable “Auto delete cloud recordings” and set the retention period. Align the retention period with your organization’s medical record retention requirements (typically 7-10 years for adult records, longer for pediatric records) [state medical record retention laws].
E-Discovery and Legal Hold
Cloud recordings fall under e-discovery obligations. Organizations subject to litigation or regulatory investigation must preserve relevant recordings. Zoom does not support legal hold functionality for cloud recordings on standard plans [Zoom Enterprise Support 2026].
Implement a legal hold process that downloads relevant recordings to local storage before the automated deletion date. Document the hold, the reason, and the custodian. Store legal hold recordings separately from active clinical records.
Document your recording retention policy in writing. Specify local versus cloud recording requirements. Define retention periods by record type (telehealth visits, administrative meetings, training sessions). Configure Zoom’s auto-delete settings to match your written policy. Train workforce members on the policy and the legal hold process. Store the policy with your HIPAA documentation.
Which Zoom Security Settings Are Required for HIPAA?
HIPAA requires access controls for ePHI [164.312(a)(1)], and with $16.7 million in OCR penalties issued in 2023 alone [HHS OCR Enforcement Results 2023], Zoom meetings containing patient conversations require authentication and authorization controls equivalent to other clinical systems.
Waiting Room Requirement
The Waiting Room feature places meeting participants in a virtual lobby until the host admits them. This prevents unauthorized participants from joining meetings before the host arrives and confirms participant identity.
Enable the Waiting Room at the account level. Navigate to Account Management > Account Settings > Security > Waiting Room. Toggle the setting to “On” and lock it to prevent individual users from disabling it. Apply the setting to all meeting types: scheduled meetings, instant meetings, and personal meeting rooms.
The Waiting Room serves as the digital equivalent of a locked exam room door. You verify patient identity before admission. You prevent unauthorized observers from accessing the conversation.
Passcode and Authentication
Require passcodes for all scheduled meetings. Navigate to Account Management > Account Settings > Security > Passcode. Enable the “Require passcode for all meetings” setting. Lock the setting at the account level.
Zoom generates unique passcodes for each scheduled meeting. The passcode embeds in the meeting link when using the Zoom scheduler or calendar integrations. Participants authenticate automatically when joining through the link.
For organizations requiring two-factor authentication, Zoom supports SSO integration through Okta, Azure AD, and other identity providers [Zoom SSO Documentation 2026]. SSO replaces passcode authentication with corporate identity verification.
Screen Sharing Restrictions
Restrict screen sharing to the meeting host by default. Navigate to Account Management > Account Settings > In Meeting (Basic) > Screen Sharing. Set the screen sharing permission to “Host Only.” This prevents accidental ePHI disclosure when patients or unauthorized participants share screens containing sensitive information.
Providers conducting remote patient monitoring or technical support sessions require participant screen sharing. Enable screen sharing on a per-meeting basis through the in-meeting security controls rather than at the account level.
Export your current Zoom security settings. Navigate to Account Management > Account Settings > Security. Take screenshots of each security section: Waiting Room, Passcode, Screen Sharing, and Chat. Compare your current configuration against HIPAA baseline requirements. Document any deviations and the business justification. Store the security baseline document with your HIPAA policies. Review the configuration quarterly.
End-to-End Encryption Limitations
Zoom supports end-to-end encryption (E2EE) for meetings, using TLS 1.2 for transport and AES-256 for stored content as the standard baseline [Zoom E2EE Whitepaper 2026]. E2EE encrypts meeting content on the sender’s device and decrypts only on the receiver’s device. Zoom’s servers never access unencrypted content.
E2EE disables several Zoom features: cloud recording, live transcription, breakout rooms, polling, and third-party streaming [Zoom E2EE Support]. Healthcare organizations using E2EE for maximum privacy sacrifice clinical workflow features.
The standard Zoom encryption (TLS 1.2 for transport, AES-256 for stored content) meets HIPAA transmission security requirements [164.312(e)(1)]. E2EE provides additional protection for extremely sensitive conversations (psychiatric evaluations, substance abuse treatment, genetic counseling) where the risk profile justifies the feature trade-offs.
Enable E2EE on a per-meeting basis rather than account-wide. Meeting hosts toggle E2EE through the in-meeting security menu. Document when E2EE applies and when standard encryption suffices. Train providers on the feature limitations before enabling E2EE for clinical sessions.
Conduct a risk assessment comparing E2EE benefits against workflow impact. Document the assessment results. Define specific use cases requiring E2EE (substance abuse treatment under 42 CFR Part 2, psychiatric sessions, genetic counseling). Create a procedure for enabling E2EE for qualifying sessions. Train affected workforce members on the procedure. Store the risk assessment and procedure with your HIPAA policies.
Zoom Phone and SMS Compliance
Zoom Phone provides cloud-based voice calling through VoIP technology, but the Zoom BAA explicitly excludes SMS from HIPAA coverage [Zoom BAA Section 4.3]. Zoom Phone calls covered under the BAA meet HIPAA transmission security requirements [164.312(e)(1)]. Organizations using Zoom Phone for patient appointment reminders, clinical follow-ups, and telehealth audio-only visits remain compliant for voice calls.
SMS Transmission Risk
Zoom Phone supports SMS messaging for text-based communication. SMS messages transmit through carrier networks using unencrypted protocols. Carriers access message content. Law enforcement accesses message content through carrier subpoenas. SMS does not meet HIPAA encryption requirements for ePHI transmission [164.312(e)(1)].
The Zoom BAA explicitly excludes SMS from HIPAA coverage [Zoom BAA Section 4.3]. Organizations sending appointment reminders, lab results, or clinical instructions through Zoom SMS violate transmission security requirements unless the patient provides documented authorization to use unsecured communication channels [164.522(b)].
Implement patient communication preferences during intake. Offer secure patient portal messaging as the default. Document patient requests to receive SMS communication. Include explicit consent language: “I understand SMS messages are not encrypted and may be accessed by my wireless carrier.” Store the signed consent form with patient records.
Audit your organization’s use of Zoom Phone SMS. Review sent messages for ePHI content (appointment details, diagnoses, lab results, medication names). Disable SMS for workforce members who send ePHI without documented patient consent. Implement a secure messaging alternative (patient portal, encrypted email, Zoom Team Chat for internal communication). Train workforce members on SMS restrictions. Update your HIPAA policies to address SMS exclusions.
Zoom AI Companion and LLM Training
Zoom AI Companion provides AI-powered features launching in September 2023 and expanding to all paid accounts in 2024 [Zoom AI Companion 2026]. The service offers meeting summaries, action item extraction, email composition assistance, and chat message drafting.
AI Training Data Scope
Zoom states AI Companion does not use customer audio, video, chat, or meeting content to train AI models for other customers [Zoom AI Trust 2026]. The service processes meeting content to generate summaries and action items for the specific account requesting the service.
The Zoom BAA extends to AI Companion processing when the feature processes ePHI [Zoom BAA Amendment 2024]. Organizations using AI Companion for telehealth meeting summaries operate under BAA coverage.
AI Feature Governance
Healthcare organizations face two AI Companion risks: workforce members enabling AI features without understanding data flow, and patients objecting to AI processing of clinical conversations. Address both risks through policy and configuration.
Disable AI Companion at the account level until you complete an AI impact assessment. Navigate to Account Management > Account Settings > AI Companion. Toggle the feature to “Off” and lock the setting. This prevents individual users from activating AI features without administrative review.
Conduct an AI impact assessment covering data flow, third-party subprocessors, model training scope, and patient notification requirements. Document the assessment results. Develop an AI use policy defining approved AI Companion use cases (administrative meetings only, clinical meetings with patient consent, disabled for all meetings).
Implement patient notification for AI-enabled telehealth sessions. Add notification language to consent forms: “This session may use AI-powered transcription and summarization tools provided by Zoom Video Communications. These tools operate under our Business Associate Agreement and do not share your information with other Zoom customers.” Obtain patient signature before the session.
Create an AI Companion governance document. Specify approved use cases. Define workforce member training requirements. Document patient consent procedures for AI-enabled sessions. Attach the Zoom AI trust documentation and BAA amendment covering AI services. Store the governance document with your HIPAA policies. Review the document annually or when Zoom announces new AI features.
Zoom Rooms for Telehealth
Zoom Rooms converts conference rooms into dedicated video conferencing spaces using hardware controllers, cameras, microphones, and displays. Healthcare organizations deploy Zoom Rooms for telehealth kiosks, specialist consultations, and multi-party care team meetings [Zoom Rooms Healthcare 2026].
Zoom Rooms covered under the account-level BAA meet HIPAA compliance requirements. The compliance risk appears in physical access controls and device security rather than the software platform.
Physical Access Controls
Zoom Rooms deployed in patient-accessible areas (waiting rooms, exam rooms, telehealth kiosks) require physical access restrictions. Patients using unattended Zoom Rooms access the device outside workforce supervision. Lock down the device to prevent unauthorized application access, file browsing, and network configuration changes.
Deploy Zoom Rooms using dedicated hardware running Zoom Rooms Controller software exclusively. Disable access to the underlying operating system. Remove USB ports or physically disable them. Implement auto-logout timers requiring authentication between sessions. Mount displays and controllers to prevent device removal.
Device Audit Logging
Zoom Rooms generate audit logs covering meeting start times, participants, duration, and device configuration changes. Access audit logs through the Zoom admin portal under Account Management > Reports > Zoom Rooms. Export logs monthly. Store logs for the retention period defined in your HIPAA policies (typically 6 years minimum) [164.312(b)].
Document Zoom Rooms deployment locations, device identifiers, and access control methods. Create a Zoom Rooms security configuration baseline covering authentication requirements, USB port restrictions, auto-logout timers, and physical mounting. Apply the baseline to all Zoom Rooms devices. Audit devices quarterly for configuration drift. Document the audit results. Store the baseline and audit reports with your HIPAA policies.
Zoom Certifications and Attestations
Zoom maintains SOC 2 Type II certification covering security, availability, and confidentiality trust service criteria [Zoom Trust Center 2026]. The SOC 2 report covers Zoom Meetings, Zoom Phone, Zoom Rooms, and Zoom Webinars. Request the current SOC 2 report through the Zoom Trust Center for vendor risk assessment purposes.
Zoom achieved HITRUST CSF certification in 2021 and maintains annual recertification [Zoom HITRUST 2026]. The HITRUST certification validates alignment with HIPAA Security Rule requirements, NIST Cybersecurity Framework controls, and ISO 27001 standards. Healthcare organizations subject to HITRUST requirements from payer contracts or regulatory bodies use Zoom’s HITRUST certification to satisfy vendor compliance obligations.
Zoom publishes FedRAMP Moderate authorization for Zoom for Government (separate product offering for federal agencies) [Zoom FedRAMP 2026]. The standard Zoom platform does not carry FedRAMP authorization. Healthcare organizations serving federal patients or operating under federal contracts verify whether FedRAMP requirements apply before platform selection.
Download Zoom’s current SOC 2 Type II report from the Trust Center. Review Section 4 (Control Activities) for controls relevant to your HIPAA risk assessment: logical access controls, encryption methods, change management procedures, and incident response processes. Map Zoom controls to your organization’s HIPAA control framework. Document the mapping. Store the SOC 2 report and control mapping with your vendor risk assessment documentation. Update annually when Zoom publishes the new SOC 2 report.
Zoom delivers reliable video infrastructure with full HIPAA support through the BAA. The compliance failures I encounter during audits trace to configuration gaps, not platform limitations. Organizations assuming default settings meet HIPAA requirements fail controls for third-party apps, retention policies, and access restrictions. Build the security configuration before the first patient session and compliance becomes systematic rather than reactive.
Frequently Asked Questions
Does the free Zoom Basic plan support HIPAA compliance?
The free Zoom Basic plan does not support HIPAA compliance because Zoom does not offer a Business Associate Agreement for free accounts. Organizations transmitting ePHI through Zoom Basic violate HIPAA transmission security requirements [164.312(e)(1)]. Upgrade to a paid plan (Pro, Business, Enterprise, or Healthcare) and execute the BAA before conducting telehealth sessions. Organizations comparing platforms should also evaluate Microsoft Teams and Slack for different use cases and pricing structures.
What is the difference between Zoom Pro and Zoom for Healthcare?
Both plans support HIPAA compliance through the BAA. Zoom for Healthcare adds EHR integrations (Epic, Cerner, athenahealth), HITRUST certification support, priority compliance assistance, and healthcare-specific training resources. Solo practitioners and small clinics meet compliance requirements on the Pro plan ($15.99/month). Hospital systems requiring EHR-embedded video visits or HITRUST alignment justify the Healthcare plan investment ($200+/month).
How do I sign the Zoom Business Associate Agreement?
Sign the Zoom BAA by purchasing a paid license and navigating to Account Management, Account Profile, HIPAA Compliance in the Zoom web portal as the account administrator. Navigate to Account Management > Account Profile > HIPAA Compliance. Review the BAA terms. Sign electronically. Download the signed BAA immediately for your compliance documentation. Compliance activates within 24 hours of signature.
Does Zoom AI Companion violate HIPAA when processing telehealth sessions?
Zoom AI Companion operates under BAA coverage when processing ePHI. Zoom states the service does not use customer content to train AI models for other customers [Zoom AI Trust 2026]. Healthcare organizations using AI Companion for clinical meeting summaries remain compliant under the BAA. Implement patient notification and consent procedures before enabling AI features for telehealth sessions.
Can I use Zoom SMS to send appointment reminders?
Zoom SMS transmits through unencrypted carrier networks and the Zoom BAA explicitly excludes SMS from HIPAA coverage under Section 4.3, meaning SMS does not meet transmission security requirements [164.312(e)(1)]. The Zoom BAA explicitly excludes SMS from coverage. Organizations sending ePHI through Zoom SMS violate HIPAA unless the patient provides documented authorization to use unsecured communication channels [164.522(b)]. Use secure patient portal messaging or obtain explicit written consent before using SMS for patient communication.
Should I use local recording or cloud recording for HIPAA compliance?
Both methods meet HIPAA requirements when configured correctly. Local recordings save to the host’s device and require encryption at rest [164.312(a)(2)(iv)], access controls [164.312(a)(1)], and documented retention policies. Cloud recordings store on Zoom’s encrypted servers under BAA coverage. Cloud recordings require automated deletion policies to prevent indefinite retention. Choose based on your organization’s storage infrastructure and retention policy enforcement capabilities.
What Zoom security settings are mandatory for HIPAA compliance?
Six Zoom security settings are mandatory for HIPAA compliance under the access control requirements of 164.312(a)(1): enable Waiting Room for all meetings to verify participant identity before admission. Require passcodes for all scheduled meetings. Restrict screen sharing to host only by default. Disable third-party app installation or restrict to pre-approved applications with signed BAAs. Configure cloud recording auto-delete aligned with your retention policy. Lock these settings at the account level to prevent individual users from disabling controls.
Does Zoom end-to-end encryption improve HIPAA compliance?
Zoom’s standard encryption (TLS 1.2 for transmission, AES-256 for storage) meets HIPAA requirements [164.312(e)(1)]. End-to-end encryption provides additional privacy protection but disables cloud recording, live transcription, breakout rooms, and polling features. Use E2EE for high-sensitivity sessions (substance abuse treatment, psychiatric evaluations, genetic counseling) where the privacy benefit justifies the workflow limitations. Document the risk assessment and E2EE activation procedures in your HIPAA policies.
Get The Authority Brief
Weekly compliance intelligence for security leaders and technology executives. Frameworks decoded. Audit strategies explained. Regulatory updates analyzed.
