Is Zoom for Healthcare HIPAA Compliant?

Zoom is a mainstream video and web conferencing platform used by individuals and businesses. It became popular during the COVID-19 pandemic when new regulations for social distancing heightened the need for digital communication. Zoom was one of the fastest growing apps of the pandemic, with meeting participants increasing by 2900%.

Zoom became a particularly popular tool of choice by many healthcare professionals during this period who relied on this platform to consult with colleagues and patients. However, Zoom was not originally created for the specific needs of healthcare, this is particularly so in regards to security and patient confidentiality. During the pandemic it benefited from the lax enforcement of HIPAA legislation, but has since been forced to upgrade its security features.

In the following we consider whether Zoom is HIPAA compliant and whether it offers the most optimal platform for healthcare communications.

Learn more about: Top HIPAA Compliant Chat Apps

What is Zoom for Healthcare?

Zoom, or more formally known as, Zoom for Meetings, is a video-telephony software application designed by Zoom Video Communications in 2012. It is free to use for personal meetings, business meetings, education, training, and online conferences. In addition, it supports HD video calls, screen sharing, whiteboard collaboration, and audio-only calls. The Zoom app was designed to be user-friendly and enables people to interact and communicate despite being physically separated.

Recognizing the potential adoption of Zoom by healthcare professionals, Zoom launched a telehealth version of their platform in April 2017, specifically aimed at the healthcare industry. Zoom for Healthcare includes Zoom Meetings, Zoom Phone, Zoom Rooms, and Zoom Team Chat. Furthermore, Zoom integrates with healthcare information systems, like electronic health records (EMRs) and practice management platforms.

Learn more about: How to build a HIPAA compliant messenger with QuickBlox API

Benefits of Using Zoom for Healthcare

During the peak of the COVID pandemic the benefits of using Zoom for Healthcare were obvious. The pandemic generated a heightened demand for medical care at the same time there was an urgent need for social distancing to stop the spread of a highly contagious virus. Unsurprisingly, healthcare professionals and institutions adopted telehealth or digital communication technologies to provide video-enabled healthcare consultancy to their patients.

Zoom was an easy choice. Already widely familiar and easy-to-use, Zoom was increasingly adopted by healthcare providers, using it to communicate with other professionals and to provide online consultancy to patients to help reduce the burden on medical institutions.

But even without the exigencies of a global pandemic, there are many reasons why healthcare professionals would continue to choose using Zoom:

No Need to Install Software

No need for your patients to install Zoom on their devices. They can easily connect using the meeting link or also use the dedicated number to dial in for audio calls.

Easy to Use

A simple user interface makes it easier for users to join and participate in the call.

High-Quality Video and Sound

The high-resolution images and clear voice make it possible to have a great experience regardless of the device being used.

Flexible Scheduling

You can schedule a meeting on Zoom at any time and place.

Integrated with Other Applications

Zoom integrates seamlessly with other applications, including healthcare EHR systems. You can share information with colleagues while working together on documents.

Cost

Zoom for Healthcare pricing starts at $14.99, making it an affordable option for small practices.

Is Zoom for Healthcare HIPAA compliant?

While Zoom for healthcare reviews remain generally positive, the app was not originally intended for professional healthcare use and for this reason it has faced challenges demonstrating its compliance with HIPAA legislation.

What is HIPAA Compliance? – The Healthcare Portability and Accountability Act (HIPAA) outlines the privacy and security measures that healthcare institutions and providers must undertake to ensure that confidential and protected health information (PHI) is never shared externally or misused by a third party.

The general rules of HIPAA Security require entities to:

• Ensure confidentiality, integrity, and availability of all electronic PHI the entity creates, receives, maintains, and transmits
• Protect against any reasonable threat or hazards to the security or integrity of this information
• Protect against any reasonably anticipated disclosures of this information to a third party that is not permitted or required under privacy regulations
• Ensure compliance with these regulations by its workforce

Further, requirements of HIPAA stipulate that any company (referred to as a ‘business associate”) offering services to healthcare organizations (known as a HIPAA covered entity) is required to first enter into a contract before its service can be used to share PHI. With this contract (known as a Business Associate Agreement, or BAA), the business associate acknowledges their responsibilities to safeguard the privacy and security of PHI.

During the pandemic, Zoom –like many communication apps used in healthcare– benefited from the lax enforcement of HIPAA rules. To ensure wide accessibility of healthcare resources while still promoting quarantine rules, The U.S. Department of Health and Human Services eased some of its regulations related to use of communication tools. Zoom faced mounting concerns over its app’s security, prompting the Zoom CEO to make a public commitment to upgrade security features, stating: “we are committed to dedicating the resources needed to better identify, address, and fix issues proactively.”

Since then Zoom for Healthcare security has been improved, with efforts made to promote its credentials as HIPAA compliant.

It meets these regulations using the following:

• Access Controls: these allow the healthcare staff to assign multi-layer access depending on the type of user (owner, admin, or member) and only display specific information and features depending on their unique user identification
• Audit Controls: Allowing Zoom admins to examine activity in their system and manage individual, group, or organizational controls
• Integrity: Controls to protect and encrypt meeting data and recordings, ensuring it is not shared with a third party
• Protected User Authentication and Meeting Access
• Transmission Security by employing 256-bit AES-GCM encryption for all data to protect healthcare information and sensitive patient data
• Screen Sharing & Chat controls that allow doctors and medical professionals to share only the relevant information with the patient or during calls

Zoom now also offers a signed Business Associate Agreement (BAA) with healthcare organizations. This is part of a paid subscription that’s not available with the free app. You can learn more about how Zoom for Healthcare is HIPAA compliant here.

Limits to Zoom

Despite important measures taken by Zoom to upgrade its security measures, the fact remains that these security features were added afterwards –rather than built by design. Instead of designing a HIPAA compliant solution from the ground-up, Zoom was able to start offering a HIPAA compliant plan by removing non-compliant features available on their regular plan.

As HIPAA compliant regulations begin to tighten up again, Zoom must continue to assess potential risks and constantly evaluate gaps in their security offerings.

Using Zoom, you are also obliged to have your customer data stored and processed within their own hosting infrastructure. However secure this infrastructure may be, it is still owned and controlled by Zoom. Some larger healthcare organizations may prefer to have their communication solution deployed within their own cloud or on-premise environment. That way they can ensure total ownership of patient data and control access.

Learn more about: HIPAA-Compliant Cloud Hosting, What Does it Mean

One last, but important point is that HIPAA compliance remains a shared responsibility. Zoom may offer a HIPAA compliant plan, but medical professionals and healthcare providers must also ensure best practices in their organization to meet these requirements. Healthcare organizations and personnel have to implement measures that allow them to use Zoom in a HIPAA compliant way.

Final thoughts

Medical professionals and staff can leverage the Zoom for Healthcare platform to provide telehealth services to their patients, making medical consultancy flexible, accessible, and inexpensive.

But to ensure that your organization works in a way that is truly HIPAA compliant, implementing Zoom for your healthcare needs requires the right processes within the organization so that the platform helps you get the best of its features while safeguarding sensitive patient data.

Despite the many advantages of Zoom, there are countless telehealth platforms to choose from, and many, unlike Zoom, have been built specifically for healthcare use cases. In addition to strong HIPAA compliant credentials, they also offer a wealth of healthcare-related features, like appointment scheduling, note-taking and sharing, online data gathering forms, and more. Q-Consultation for Healthcare is one such example. You can deploy this software where you want, access a rich array of administrative and communication features, and feel confident of secure communication. What’s more, you can try Q-Consultation LITE for free.