Is Zoom HIPAA Compliant?

By: Blink Session

Zoom has become the most popular web conferencing software for business in use today. It's free version and ease-of-use has made it a go to for many, but what about for health care? Is Zoom HIPAA compliant and is it right for Online telehealth, telemedicine, or teletherapy?

First off, Zoom does offer a HIPAA-compliant version of its software for healthcare. The free AND regular paid versions of Zoom are not HIPAA-compliant. Zoom does not advertise pricing for it's health care version. As of now (confirmed last on March 2020), the price for Zoom's HIPAA compliant plan was a minimum of $200/month with a 12-month commitment. As with most serious telehealth software, don't expect to simply jump on Zoom's website and get a HIPAA-compliant plan you can use for a few weeks.

How Does Zoom Make Zoom HIPAA-compliant

Zoom was not developed for Healthcare and has no features that were specifically created to help treat Online, nor store patient data. Thus, Zoom was not originally created with a consideration for the security and privacy rules of HIPAA. So, how did they make it HIPAA-compliant? To answer that, we need to understand a few basics that make Online software compliant.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to protect patients' privacy and ensure they have access to their medical records. Health care providers and any supporting companies that store patients' Personal Identifiable Information (PII) and medical records (e.g. Blink Session) in the U.S. are required by law to follow the HIPAA rules. For software companies, the rules apply mostly to how PII is transmitted, stored, and who has access to it.

Video Security

The actual video is probably the first thing you think of when considering privacy of Online therapy. If HIPAA is concerned with who has access, the biggest question is: Who could gain access to your Zoom video sessions? The answer centers around two topics: routing and encryption.

In terms of routing, video can be routed directly from your computer to your patient's (peer-to-peer), or through a server on the Internet. Directly has advantages for speed and security. Unfortunately, though Zoom configures video streams by default to be routed peer-to-peer, because they do not encrypt them "end-to-end" (according to the traditional definition), they miss out on the security advantages of this routing.

In terms of encryption: is video encrypted, how is it encrypted, and who has access to the encryption key? If the video is routed through a server, the company must follow guidelines to ensure their employees who have access to the server are not snooping. End-to-end encryption helps with this because only the devices (computes) on the video call have access to the encryption key. Zoom does not provide end-to-end encryption. That said, it is important to understand that any video-conferencing service (company) could develop back doors to snoop video calls, even with end-to-end encryption. Ultimately, you are going to need to trust the company you are working with.

Re-purposed for HIPAA

To answer the question, How Does Zoom Make Zoom HIPAA-compliant, its important to emphasize again that Zoom was not developed for Healthcare. Thus, Zoom was able to certify HIPAA compliances by simply turning off features for it's health care users. Features that do not meet HIPAA standards.

There is More to HIPAA Than "Compliant" Software

Video is only one of many things that are vital to HIPAA in telehealth. Your patient's name, email address, phone number, address, and my other things all fall under data you must protect. If you add your patients as contacts in Zoom, send them meeting invitations, or store any other patient PII in your zoom account, you could be violating HIPAA if you have not paid to use their health care plan.

One of the most important and overlooked areas of HIPAA is who has access to patient data. Think back before electronic medical records when the file room housed everything. Controlling access to that room was important. Now, bring it to today and imagine if anyone on the Internet could gain access to that room. Maybe you protect the room against strangers, but what about others in your company? Should therapists have easy access to the medical records of patients they are not treating?

Software like Zoom, and just about any other web-conferencing software built for business meetings, has no safeguards controlling access. You must ask: Is this software merely HIPAA-compliant or was it designed from the ground-up with HIPAA in mind? Will it help me and my organization follow the HIPAA rules?

In summary, your concern should not simply be about complying with rules and laws. It should be about protecting your patient's privacy and the sensitive information they have intrusted your company with. Companies with those concerns are more likley to view HIPAA as helpful instead of a burden.