HIPAA
Video Conferencing

Is Zoom HIPAA Compliant? Complete Analysis for Healthcare

Zoom can be used in a HIPAA-compliant manner, but only with the correct plan and configuration. Zoom offers a Business Associate Agreement (BAA) for customers on its Zoom for Healthcare plan or Zoom Workplace Business+ and higher tiers. Without the BAA and proper security settings, using Zoom to discuss protected health information (PHI) violates HIPAA.

Conditional — Zoom can be compliant with configuration

Zoom is HIPAA compliant only when you sign a BAA with Zoom and enable required security settings. The free and Pro plans do not qualify. You must use Zoom for Healthcare or a Business+ plan with the BAA executed.

Compliance Assessment

AspectStatus
Data Encryption

Zoom provides AES-256 GCM encryption in transit and supports end-to-end encryption (E2EE) for meetings.

Yes
Business Associate Agreement

BAA is available on Zoom for Healthcare and Business+ plans. You must request and sign it before transmitting PHI.

With Configuration
Access Controls

Supports SSO, role-based access, waiting rooms, meeting passwords, and host controls to restrict unauthorized access.

Yes
Audit Logging

Admin dashboard provides detailed activity logs including meeting access, recording access, and user management events.

Yes
Cloud Recording Storage

Cloud recordings can contain PHI. You must disable cloud recording or ensure recordings are stored in a BAA-covered environment.

With Configuration
Data Residency

Zoom allows selecting data center regions but does not guarantee all data processing stays within chosen regions.

Partial
Chat & File Transfer

In-meeting chat and file transfer can contain PHI. Configure retention policies and disable persistent chat if needed.

With Configuration
Third-Party Integrations

Marketplace integrations may not be HIPAA compliant. Each integration must be individually assessed and covered by its own BAA.

Partial
Automatic Transcription

AI transcription features should be disabled unless the transcription service is covered under the BAA.

With Configuration
Backup & Recovery

Zoom maintains redundant infrastructure with disaster recovery capabilities as outlined in their BAA.

Yes

Business Associate Agreement (BAA)

BAA is available

Zoom offers a BAA for Zoom for Healthcare, Zoom Workplace Business+, and Enterprise plans. The BAA covers Zoom Meetings, Zoom Phone, Zoom Team Chat, and Zoom Rooms when properly configured. You must contact Zoom sales or enable it through the admin portal to execute the BAA.

How to Make Zoom HIPAA Compliant

1

Sign a Business Associate Agreement (BAA) with Zoom through your admin portal or sales representative.

2

Disable cloud recording or restrict recording access to authorized personnel only.

3

Enable waiting rooms and meeting passwords for all meetings involving PHI.

4

Disable AI Companion features including auto-transcription and meeting summaries.

5

Configure SSO integration and enforce multi-factor authentication for all users.

6

Restrict file sharing and persistent chat features in meetings discussing PHI.

Limitations

  • Free and Pro plans are not eligible for a BAA and cannot be used with PHI.
  • End-to-end encryption disables some features like cloud recording, breakout rooms, and phone dial-in.
  • Third-party Zoom Marketplace apps are not covered under the Zoom BAA.
  • Zoom does not guarantee data residency within a single country.
  • Zoom AI Companion features are not yet covered under the BAA.

Alternative Tools & Related Assessments

HIPAA

Google Meet

Video Conferencing

HIPAA

HIPAA-Compliant Video Conferencing

Video Conferencing

HIPAA

HIPAA-Compliant Telehealth Platforms

Telehealth

HIPAA

Microsoft Teams

Team Collaboration

Related Resources

hipaa security rulehipaa access controlhipaa breach notificationhipaa risk assessmenthipaa phihipaa baaencryption at resthipaa covered entity

Frequently Asked Questions

Is Zoom HIPAA compliant?

Yes, conditionally. Zoom is HIPAA compliant when you use a qualifying plan (Zoom for Healthcare, Business+, or Enterprise), sign a BAA with Zoom, and enable the required security settings such as meeting passwords and waiting rooms.

Does Zoom offer a BAA?

Yes. Zoom provides a Business Associate Agreement for customers on Zoom for Healthcare, Business+, and Enterprise plans. The BAA covers Meetings, Phone, Team Chat, and Rooms.

Can I use Zoom Free for telehealth?

No. The free version of Zoom does not include a BAA and cannot be used to transmit or discuss protected health information (PHI). You need at minimum a Business+ plan with a signed BAA.

Is Zoom end-to-end encrypted?

Zoom offers optional end-to-end encryption (E2EE) for meetings. By default, Zoom uses AES-256 GCM encryption in transit. E2EE can be enabled but disables some features like cloud recording and phone dial-in.

What Zoom features should I disable for HIPAA compliance?

You should disable cloud recording (or restrict access), AI Companion features, automatic transcription, and persistent chat. Enable waiting rooms, meeting passwords, and SSO with MFA.

Is Zoom for Healthcare different from regular Zoom?

Zoom for Healthcare is a specialized SKU that includes the BAA by default, pre-configured HIPAA settings, and integration with EHR systems. Regular Zoom Business+ plans can also get a BAA but require manual configuration.

Can therapists use Zoom for patient sessions?

Yes, therapists can use Zoom for telehealth sessions provided they use a BAA-eligible plan, sign the BAA, and configure settings properly. Many therapists use Zoom for Healthcare or Zoom Business+ for this purpose.

All Tool AssessmentsHIPAA OverviewRequirements GuidesCompliance Glossary

Generate HIPAA policies for your stack

PoliWriter creates all the HIPAA policies you need, customized to tools like Zoom and your specific configuration. AI-powered, audit-ready, hours not months.

Get Started Free