Is Zoom HIPAA Compliant?

By: Blink Session

Zoom has become the most popular web conferencing software for business in use today. It's free version and eas-of-use has made it a go to for many, but what about for health care? Is Zoom HIPAA compliant and is it right for Online telehealth, telemedicine, or teletherapy?

First off, Zoom does offer a HIPAA-compliant version of its software for healthcare. The free AND regular paid versions of Zoom are not HIPAA-compliant. Zoom does not advertise pricing for it's health care version. As of now (confirmed last on March 2020), the price for Zoom's HIPAA compliant plan was a minimum of $200/month with a 12-month commitment. As with most serious telehealth software, don't expect to simply jump on Zoom's website and get a HIPAA-compliant plan you can use for a few weeks.

How Does Zoom Make Zoom HIPAA-compliant

Zoom was not developed for Healthcare and has no features that were specifically created to help treat Online, nor store patient data. Thus, Zoom was not originally created with a consideration for the security and privacy rules of HIPAA. So, how did they make it HIPAA-compliant? To answer that, we need to understand a few basics that make Online software compliant.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to protect patients' privacy and ensure they have access to their medical records. Health care providers and any supporting companies that store patients' Personal Identifiable Information (PII) and medical records (e.g. Blink Session) in the U.S. are required by law to follow the HIPAA rules. For software companies the rules apply mostly to how PII is transmitted, stored, and who has access to it.

The actual video is probably the first thing you think of when considering privacy of Online therapy. If HIPAA is concerned with who has access, the biggest question is: Who could gain access to your Zoom video sessions? I'll try to not get too far into the technical weeds here. Basically, the question comes down to how the video is routed: directly from your computer to your patient's, or through a server on the Internet. If the video is person-to-person directly, it is hard for a third party to gain access. If the video is routed through a server, the company must follow guidelines to ensure their employees who have access to the server are not snooping. End-to-end encryption helps with this, but that is a complex topic.

Zoom was able to certify that it's video is HIPAA-compliant because it's technology, by default, routes video directly between people, not through a server. That said, to record sessions Zoom does route video through their severs. To get around that problem, instead of developing systems to ensure privacy, Zoom simply turns off that feature for it's health care users.

There is More to HIPAA Than "Compliant" Software

Video is only one of many things that are vital to HIPAA in telehealth. Your patient's name, email address, phone number, address, and my other things all fall under data you must protect. If you add your patients as contacts in Zoom, send them meeting invitations, or store any other patient PII in your zoom account, you could be violating HIPAA if you have not paid to use their health care plan.

One of the most important and overlooked areas of HIPAA is who has access to patient data. Think back before electronic medical records when the file room housed everything. Controlling access to that room was important. Now, bring it to today and imagine if anyone on the Internet could gain access to that room. Maybe you protect the room against strangers, but what about others in your company? Should therapists have easy access to the medical records of patients they are not treating?

Software like Zoom, and just about any other web-conferencing software built for business meetings, has no safeguards controlling access. You must ask: Is this software merely HIPAA-compliant or was it designed from the ground-up with HIPAA in mind? Will it help me and my organization follow the HIPAA rules?

In summary, your concern should not simply be about complying with rules and laws. It should be about protecting your patient's privacy and the sensitive information they have intrusted your company with. Companies with those concerns are more likley to view HIPAA as helpful instead of a burden.