Is Zoom HIPAA Compliant? What Healthcare Providers Must Know

Zoom offers HIPAA-compliant plans for healthcare organizations, but compliance depends entirely on how you configure and use the platform. A standard Zoom account is not HIPAA compliant. This is a common mistake among small practices, solo practitioners, and healthcare startups. You need a Zoom for Healthcare plan, a signed Business Associate Agreement (BAA), and proper security settings to use Zoom for telehealth or any communication involving protected health information (PHI).

For a full overview of HIPAA requirements, see our HIPAA compliance guide. Here is exactly what you need to know before using Zoom in a healthcare setting.

Does Zoom Sign a BAA?

Yes. Zoom will sign a Business Associate Agreement, which is required before any cloud service can be used with PHI under HIPAA. However, the BAA is only available on specific plan types:

Zoom Workplace Business (and higher tiers)
Zoom Workplace Enterprise
Zoom for Healthcare (purpose-built healthcare plan)

Zoom's free plan and Zoom Workplace Basic plan do not include a BAA. Using these plans to discuss patient information, share medical records, or conduct telehealth visits is a HIPAA violation.

⚠ Warning

A BAA is a legal requirement, not a suggestion. Any healthcare provider using Zoom without a signed BAA is in direct violation of the HIPAA Privacy Rule, regardless of what security settings are enabled. The BAA defines Zoom's responsibilities for protecting PHI that passes through their platform.

How to Get a Zoom BAA

Purchase a Zoom Workplace Business, Enterprise, or Healthcare plan
Contact Zoom sales or your account representative to request the BAA
The BAA covers: Zoom Meetings, Zoom Phone, Zoom Team Chat, and Zoom Rooms (when enabled under the healthcare account)
Review the BAA terms carefully. Zoom's standard BAA limits their liability and defines specific security responsibilities

What Zoom for Healthcare Includes

Zoom for Healthcare is a dedicated plan designed for HIPAA-compliant telehealth. It includes features beyond the standard business plans:

Clinical features:

Virtual waiting rooms with customizable patient intake
EHR integration with Epic, Cerner (Oracle Health), and other major platforms
Clinical collaboration tools for multi-provider consultations
Patient self-scheduling through Zoom-integrated booking

Compliance features:

BAA included by default
Enhanced encryption settings pre-configured
Compliance-focused admin controls
Audit logging for all meetings involving PHI

Integration features:

Direct EHR launch (patients join from their patient portal)
HL7 FHIR support for clinical data exchange
Integration with practice management systems

Security Settings You Must Configure

Having a BAA does not automatically make your Zoom environment HIPAA compliant. You must configure these security settings in the Zoom admin panel.

Encryption

Zoom offers two encryption options:

Enhanced encryption (default): Encrypts data in transit using TLS 1.2 and at rest using AES-256. Encryption keys are managed by Zoom's cloud infrastructure. This meets HIPAA requirements for most use cases.

End-to-end encryption (E2EE): Encryption keys are generated by meeting participants' devices and are not accessible to Zoom's servers. This provides stronger protection but disables some features (cloud recording, live transcription, breakout rooms).

For most telehealth organizations, enhanced encryption is sufficient and practical. E2EE is recommended for highly sensitive consultations where the provider wants to eliminate any possibility of server-side access.

💡 Pro Tip

Enable "Require encryption for 3rd party endpoints" in your admin settings. This ensures that any SIP/H.323 room systems connecting to your Zoom meetings also use encryption, closing a common gap in healthcare environments with legacy video conferencing equipment.

Meeting Security Controls

Whether you are a solo therapist or a growing telehealth startup, configure these settings in the Zoom admin panel (Account Settings > Security):

| Setting | Recommended Configuration | Why | |---------|--------------------------|-----| | Waiting room | Enabled | Prevents unauthorized participants from joining telehealth sessions | | Meeting password | Required | Adds authentication layer beyond the meeting link | | Only authenticated users can join | Enabled | Ensures only logged-in Zoom users can access meetings | | Allow removed participants to rejoin | Disabled | Prevents re-entry after being removed for cause | | Screen sharing | Host only (default) | Prevents patients or unauthorized users from sharing inappropriate content | | File transfer in meeting chat | Disabled or host-only | Prevents uncontrolled PHI sharing through chat | | Cloud recording auto-start | Disabled | Recordings containing PHI must be explicitly initiated and managed | | Allow recording consent notification | Enabled | Legal requirement in many states for recording consent |

Chat and Messaging Controls

Zoom Team Chat can contain PHI if healthcare staff discuss patients. Configure these protections:

Enable message retention policies (align with your organization's PHI retention schedule)
Disable external chat contacts for healthcare-specific user groups
Enable data loss prevention (DLP) integration if available on your plan
Restrict file sharing in team chat to approved file types

Recording and Transcription

Cloud recordings of telehealth sessions contain PHI and must be protected:

Store cloud recordings in a HIPAA-compliant location (Zoom's cloud with BAA, or download to your encrypted storage)
Enable recording encryption
Set automatic deletion after your retention period expires
Disable local recording on managed devices unless your organization has endpoint encryption
Live transcription outputs may contain PHI and must be treated accordingly

What Zoom Features Are NOT Covered by the BAA

Zoom's BAA has specific scope limitations. These features and products are typically excluded:

Zoom Apps marketplace (third-party apps): Third-party apps accessed through Zoom are not covered by Zoom's BAA. Each app vendor needs their own BAA.
Zoom AI Companion (AI features): Zoom's AI-powered meeting summaries, smart recording, and AI companion features may process PHI through AI models. As of early 2026, Zoom states that AI Companion data is not used to train models, but confirm with Zoom whether these features are included in your BAA scope.
Zoom Events and Webinars: Large-scale events may not have the same access controls as meetings. Verify BAA coverage before using Zoom Events for healthcare content.
Zoom Whiteboard: Data stored in whiteboards may not be covered. Avoid documenting PHI on Zoom Whiteboard.

⚠ Warning

Zoom's AI features (meeting summaries, smart recording highlights, AI Companion) are evolving rapidly. Before enabling any AI feature in a healthcare Zoom environment, confirm in writing with Zoom that the feature is covered under your BAA. AI processing of PHI without BAA coverage is a HIPAA violation.

Zoom vs. Competitors for Telehealth

How does Zoom compare to other video platforms for HIPAA-compliant telehealth?

Zoom vs. Microsoft Teams

Microsoft Teams also offers HIPAA-compliant plans with a BAA (through Microsoft 365 Business and Enterprise plans). Key differences:

Integration: Teams integrates natively with Microsoft 365 and Azure, while Zoom integrates more broadly with EHR platforms
Clinical features: Zoom for Healthcare has more purpose-built clinical features (virtual waiting rooms, EHR launch)
Pricing: Teams is often included in existing Microsoft 365 subscriptions, making it cheaper for organizations already in the Microsoft ecosystem
User experience: Zoom generally receives higher marks for ease of use from both providers and patients

Zoom vs. Doxy.me

Doxy.me is a telehealth-specific platform with a free HIPAA-compliant tier:

Cost: Doxy.me offers a free plan with BAA (limited features). Zoom requires a paid plan for BAA.
Simplicity: Doxy.me is browser-based with no download required. Zoom requires the desktop or mobile app for full functionality.
Features: Zoom offers far more features (phone, chat, rooms, webinars). Doxy.me focuses exclusively on telehealth.
Scale: Zoom is better for organizations that need video conferencing beyond telehealth (staff meetings, training, collaboration).

Zoom vs. Google Meet (Google Workspace)

Google Workspace for Healthcare includes Google Meet with a BAA:

BAA scope: Google's BAA covers Meet, Gmail, Drive, and other Workspace products. Zoom's BAA is more limited in product scope.
Integration: Google Meet integrates with Google Workspace tools. Zoom has stronger EHR integrations.
Recording: Both offer encrypted cloud recording. Google stores in Drive; Zoom stores in their cloud.
Compliance: Both meet HIPAA technical requirements when properly configured.

Zoom HIPAA Compliance Checklist

Before using Zoom for telehealth or any PHI-related communication, complete this checklist:

Administrative requirements:

[ ] Purchase Zoom Workplace Business, Enterprise, or Healthcare plan
[ ] Sign BAA with Zoom (confirm scope covers all products you intend to use)
[ ] Create a Zoom usage policy for workforce members handling PHI
[ ] Train all users on HIPAA-compliant Zoom practices
[ ] Designate a Zoom admin responsible for security configuration

Technical configuration:

[ ] Enable waiting rooms for all healthcare meetings
[ ] Require meeting passwords
[ ] Restrict screen sharing to host only
[ ] Disable file transfer in meeting chat (or restrict to host)
[ ] Configure cloud recording retention and encryption
[ ] Disable local recording unless endpoints are encrypted
[ ] Enable recording consent notifications
[ ] Restrict external chat contacts for healthcare groups
[ ] Review and disable AI features not covered by BAA

Ongoing compliance:

[ ] Review Zoom admin audit logs monthly
[ ] Update BAA annually or when plan changes occur
[ ] Re-train workforce on Zoom HIPAA practices annually
[ ] Monitor Zoom product updates for new features that may affect PHI
[ ] Include Zoom in your annual HIPAA risk assessment

Quick Answers for Small Practices

Q: Can a solo therapist use Zoom for HIPAA compliance? A: Yes, but you need at minimum a Zoom Workplace Business plan with a signed BAA. The free and Pro plans do not qualify. Budget approximately $18-$20 per month.

Q: Is Zoom cheaper than a dedicated telehealth platform? A: For small practices, dedicated platforms like Doxy.me offer a free HIPAA-compliant tier. Zoom is better if you also need the platform for staff meetings, training, and collaboration beyond just patient visits.

Q: Do I need Zoom for Healthcare or is Business enough? A: For most small practices and startups, Zoom Workplace Business with a BAA is sufficient. Zoom for Healthcare adds EHR integrations and clinical workflow features that larger organizations need.

Common Mistakes When Using Zoom for Healthcare

These are the errors healthcare organizations, from solo practitioners to growing startups, make most frequently:

Using the free plan for telehealth. The free plan has no BAA. Every telehealth session on the free plan is a potential HIPAA violation.

Assuming the BAA covers all Zoom products. The BAA has specific product scope. Using a product not covered by the BAA (like certain AI features or third-party Zoom Apps) with PHI is non-compliant.

Not configuring security settings. A BAA without proper security configuration is like a fire alarm without batteries. Waiting rooms, passwords, and encryption settings must be actively configured.

Recording without consent. Many states require two-party consent for recording. Healthcare organizations must notify patients before recording telehealth sessions and document consent.

Sharing meeting links in unsecured channels. Emailing Zoom links for telehealth sessions without encryption exposes the link to interception. Use your patient portal or secure messaging to share meeting invitations.

Letting patients share screens without controls. In group telehealth settings, unrestricted screen sharing can expose one patient's information to others.

Zoom Pricing for Healthcare Organizations

Zoom's healthcare-relevant plans (as of early 2026):

| Plan | Price (per user/month, annual billing) | BAA Available | Healthcare Features | |------|---------------------------------------|---------------|-------------------| | Zoom Workplace Basic | Free | No | None | | Zoom Workplace Pro | ~$13.33 | No | None | | Zoom Workplace Business | ~$18.32 | Yes (on request) | Basic | | Zoom Workplace Enterprise | Custom pricing | Yes (included) | Standard | | Zoom for Healthcare | Custom pricing | Yes (included) | Full clinical suite |

For small practices, startups, and organizations with fewer than 50 providers, Zoom Workplace Business with a BAA is typically sufficient. Larger health systems and organizations needing EHR integration should evaluate Zoom for Healthcare.

Frequently Asked Questions

Q: Is the free version of Zoom HIPAA compliant?

A: No. Zoom's free plan does not include a Business Associate Agreement, which is required under HIPAA before any cloud service can be used to store, process, or transmit protected health information. You need at minimum a Zoom Workplace Business plan to obtain a BAA.

Q: Does Zoom encrypt telehealth sessions?

A: Yes. Zoom encrypts meetings in transit using TLS 1.2 and at rest using AES-256 encryption. End-to-end encryption (E2EE) is also available as an optional setting, which prevents even Zoom from accessing the meeting content. Enhanced encryption (the default) is sufficient for HIPAA compliance.

Q: Can I use Zoom for therapy sessions?

A: Yes, provided you have a HIPAA-compliant Zoom plan with a signed BAA and proper security settings. Many mental health providers use Zoom for teletherapy. Enable waiting rooms, require passwords, disable recording unless clinically necessary, and ensure your state's telehealth regulations permit video-based therapy sessions.

Q: What happens if I use Zoom without a BAA for telehealth?

A: Using Zoom without a BAA for telehealth is a HIPAA violation. If a breach occurs, your organization faces penalties ranging from $137 to $68,928 per violation, with annual maximums of over $2 million. During the COVID-19 public health emergency, HHS temporarily waived enforcement for telehealth. That waiver has expired and full enforcement has resumed.

Q: Does Zoom's BAA cover Zoom Phone (VoIP)?

A: Zoom Phone is generally covered under the BAA for Zoom Workplace Business and Enterprise plans, but you must confirm this with your Zoom account representative. If healthcare staff use Zoom Phone to discuss patient information, the BAA must explicitly include Zoom Phone.

Q: Is Zoom for Healthcare worth the extra cost?

A: For large health systems and organizations with heavy EHR integration needs, yes. Zoom for Healthcare includes virtual waiting rooms, EHR integrations, and clinical workflow features that reduce friction for both providers and patients. For smaller practices that only need basic video visits, Zoom Workplace Business with a BAA provides adequate HIPAA compliance at a lower cost.