Is Zoom HIPAA Compliant? Telehealth and Business Use (2026)
Zoom has become the default video conferencing platform for healthcare providers, therapists, and telehealth startups. But whenever protected health information enters a video call, the HIPAA question shows up. Is Zoom HIPAA compliant? That is the single most common question from healthcare providers evaluating telehealth tools. Is Zoom HIPAA compliant enough for a small practice? Is Zoom HIPAA compliant for enterprise health systems? And which specific Zoom products actually meet the standard?
This guide answers those questions directly, whether you are a solo therapist, a small clinic, a mid-market SaaS healthcare startup, or an enterprise hospital. Zoom can be HIPAA compliant, but only under specific conditions, using specific plans, and with specific configuration. A free Zoom account is not HIPAA compliant, no matter how careful you are with settings. Here is exactly what you need to know as a healthcare organization, a telehealth provider, or a business associate subject to HIPAA.
The Short Answer
Yes, Zoom can be HIPAA compliant, but only with a paid plan that includes a Business Associate Agreement (BAA) and only when configured correctly. The free Zoom product does not qualify. Standard paid plans do not automatically qualify either. You need Zoom for Healthcare, Zoom Enterprise with a signed BAA, or an equivalent qualifying tier.
Any organization using Zoom to discuss, collect, or transmit protected health information (PHI) must sign a BAA with Zoom. You also need to implement HIPAA-specific administrative and technical safeguards.
Before we dive in, here is the short checklist every healthcare organization asking "is Zoom HIPAA compliant" should run:
- Confirm your Zoom plan is Business Plus, Enterprise, or Zoom for Healthcare
- Request and sign the Zoom Business Associate Agreement (BAA)
- Disable cloud recording or configure encrypted, access-controlled recording
- Enforce waiting rooms and unique meeting IDs for every patient session
- Restrict screen sharing, public chat, and file transfer
- Train clinical staff on HIPAA-compliant video use
- Document Zoom in your HIPAA risk analysis and vendor risk program
What HIPAA Requires from Video Conferencing Vendors
Before we look at Zoom specifically, here is what HIPAA requires from any vendor that handles PHI on your behalf.
A Business Associate Agreement. Under the HIPAA Omnibus Rule (2013), any vendor that handles PHI for a covered entity is a business associate. You must sign a BAA with that vendor before PHI changes hands.
Technical safeguards. Encryption in transit and at rest, access controls, audit logging, and automatic logoff are all required under the HIPAA Security Rule.
Administrative safeguards. Workforce training, access management, incident response, and periodic security evaluation. These are your responsibility, but the vendor must support them with appropriate features.
Physical safeguards. Data center security, device management, and media disposal. Cloud vendors handle most of this for you.
Breach notification. The vendor must notify you of any breach affecting your PHI within 60 days at the latest, and often sooner depending on your BAA terms.
For the full framework, see our HIPAA compliance guide and HIPAA Security Rule safeguards.
Which Zoom Products Are HIPAA Compliant?
Not all Zoom products are eligible for HIPAA compliance. Here is the current 2026 landscape.
Here is how the main Zoom tiers map to HIPAA eligibility:
| Zoom Plan | BAA Available? | HIPAA Compliant With Configuration? |
|---|---|---|
| Zoom Free | No | No |
| Zoom Pro | No | No |
| Zoom Business | Usually no | No |
| Zoom Business Plus | Yes on request | Yes, with BAA + configuration |
| Zoom Enterprise | Yes | Yes, with BAA + configuration |
| Zoom for Healthcare | Yes (default) | Yes, with configuration |
Zoom for Healthcare. Zoom's dedicated healthcare plan. Designed specifically for HIPAA compliance. Includes a BAA by default, waiting room enforcement, end-to-end encryption options, enhanced session security, EHR integration hooks, and business associate terms built into the master agreement.
Zoom Enterprise with BAA. Zoom Enterprise customers can request a signed BAA. This brings Zoom into HIPAA scope for your organization. Configuration is not automatic. You must disable cloud recording or enable HIPAA-specific recording controls, restrict meeting features that expose PHI, and train users.
Zoom Phone with BAA. Zoom Phone is available under a BAA for enterprise healthcare customers. Voice calls containing PHI require the same treatment as video.
Zoom Contact Center with BAA. The contact center product can be included in the BAA for healthcare organizations using it for patient support.
Zoom Team Chat. Zoom's chat functionality is covered under the BAA on qualifying plans. You should still avoid exchanging raw PHI in chat messages when possible.
Zoom Free, Zoom Pro, Zoom Business. These lower tiers do not support BAAs by default. Do not use them for any communication involving PHI. Even if your configuration looks secure, the lack of a BAA means you are violating HIPAA the moment PHI touches the call.
The Zoom Business Associate Agreement
The BAA is the contractual foundation of HIPAA compliance with Zoom. Here is what to know about the Zoom BAA specifically.
How to get one. Healthcare and Enterprise customers can request a BAA by contacting Zoom's compliance team or their account representative. The BAA is issued as an addendum to the master services agreement.
What it covers. Permissible uses and disclosures of PHI, safeguards Zoom agrees to implement, breach notification obligations, return or destruction of PHI at contract end, and subcontractor requirements.
What it does not cover. The BAA does not make your organization compliant. You still carry all HIPAA obligations on your end. The BAA only addresses the vendor relationship.
Subcontractor language. Zoom uses subprocessors for hosting, support, and some features. The BAA requires Zoom to maintain BAAs with those subprocessors. Review Zoom's current subprocessor list during your vendor risk assessment.
Termination and data return. At contract end, Zoom must return or destroy PHI in their possession. Document your termination procedures so this is smooth if you ever switch vendors.
For a deeper look at BAA obligations, see our HIPAA Business Associate Agreement guide.
HIPAA-Specific Zoom Configuration
Signing the BAA is step one. Configuring Zoom correctly is step two. A HIPAA-enabled Zoom account without proper settings can still create compliance violations.
Disable cloud recording unless encrypted and access-controlled. Cloud recordings of telehealth sessions contain PHI by definition. If you record, use encrypted cloud recording with strict access controls, or disable cloud recording entirely and require local recording on managed devices.
Enforce waiting rooms. Prevents unauthorized participants from joining sessions. Essential for patient privacy.
Restrict screen sharing. Limit screen sharing to hosts and approved presenters. An unattended screen share can expose PHI to other meeting participants.
Disable public chat or restrict to hosts. Chat messages during a meeting can contain PHI. Disable public chat or limit it to host-to-host communication.
Enable end-to-end encryption for sensitive sessions. End-to-end encryption (E2EE) is available for Zoom meetings but disables some features like cloud recording. Use it for highest-sensitivity telehealth sessions.
Require meeting passwords and unique meeting IDs. Do not use personal meeting IDs for patient sessions. Generate a unique meeting ID for each patient to prevent session crossover.
Configure automatic meeting locks. Lock meetings automatically once the expected participants join.
Enforce strong authentication. Require SSO or multi-factor authentication for all clinical staff. Service account credentials are not acceptable.
Disable file transfer. The meeting file transfer feature can leak PHI-containing documents. Disable unless operationally necessary.
Set session timeouts. Automatic logoff after inactivity is required under the HIPAA Security Rule.
Configure audit logging. Enable dashboard and audit log features. You need evidence of who joined which meetings and what actions they took.
Common HIPAA Violations with Zoom
Here are the most common Zoom-related HIPAA violations we see, based on published HHS Office for Civil Rights enforcement actions and healthcare compliance reports.
Using a free or Pro account with patients. No BAA means every PHI interaction is a violation. This is the single most common violation.
Recording sessions to personal Dropbox or Google Drive. Even if Zoom is compliant, uploading recordings to non-BAA cloud storage creates a separate violation.
Using personal meeting IDs. Patients joining the wrong meeting because staff reused personal IDs across appointments. Direct PHI exposure.
Sharing meeting links in unsecured emails. Meeting links forwarded through non-encrypted email expose session details to third parties.
Discussing PHI in pre-meeting small talk. Staff discussing patient details before the patient joins, while someone else with meeting access is already connected.
Unattended screen shares. Clinical staff sharing their screen and forgetting to close an open EHR or patient chart.
Inadequate workforce training. Staff who never received HIPAA training on video conferencing use. Training is a required administrative safeguard.
Failure to conduct risk analysis. The HIPAA Security Rule requires a documented risk analysis covering your video conferencing tools. Many organizations skip this entirely. See our HIPAA risk assessment guide.
Missing audit logs. Treating Zoom as a black box and never reviewing access logs. Required for incident response and breach investigation.
Using Zoom across state lines without licensure consideration. Separate from HIPAA but often bundled with telehealth compliance. Verify state telemedicine licensure requirements.
Zoom vs Other HIPAA-Compliant Video Platforms
Zoom is not the only HIPAA-capable video platform. Here is how it compares to alternatives healthcare providers typically evaluate.
Microsoft Teams. HIPAA compliant with BAA on Microsoft 365 E3, E5, and healthcare-specific plans. Deep EHR integrations for Epic and Cerner. Strong choice for healthcare organizations already on the Microsoft stack. See Is Microsoft 365 HIPAA compliant.
Doxy.me. Purpose-built for healthcare telehealth. Simpler feature set, easier compliance defaults, lower price. Less suitable for general business use alongside clinical use.
Google Meet (Workspace for Healthcare). HIPAA compliant under Google Workspace with BAA. Familiar interface, lower switching cost for Google-native organizations. Fewer clinical-specific features than Zoom for Healthcare. See Is Google Workspace HIPAA compliant.
Webex Healthcare. Cisco's HIPAA-capable platform. Strong for large health systems. Requires more IT effort to deploy.
Updox, SimplePractice, TheraNest, Dentrix. Vertical-specific telehealth platforms for therapy, dental, and specialty practices. Integrated billing and EHR. Less flexible than Zoom for mixed use.
Zoom's advantage is the combination of ubiquity, clinical features, and business-wide usability. Its disadvantage is the configuration work required to stay compliant.
Is Zoom HIPAA Compliant in Practice?
Is Zoom HIPAA Compliant Enough for Full HIPAA Compliance?
No single vendor makes your organization HIPAA compliant. Zoom can be one HIPAA-capable piece of your compliance program. You still need the rest.
Policies and procedures. Written HIPAA policies covering video conferencing use, incident response, access management, and workforce training.
Workforce training. Annual HIPAA training for every employee who touches PHI, with documented completion. See HIPAA training requirements.
Risk analysis and management. Documented risk analysis covering Zoom and every other system handling PHI. Risk management plan with ongoing monitoring.
Incident response. Documented incident response plan with specific procedures for video conferencing incidents.
Audit controls. Regular review of Zoom logs, access reports, and unusual activity.
Vendor risk management. Annual vendor risk assessment of Zoom and your other HIPAA business associates.
Physical security. Device management for endpoints used to access Zoom. Encryption at rest on laptops used by clinical staff.
For a complete compliance framework, see our HIPAA compliance guide.
Zoom HIPAA Compliance for Specific Use Cases
Telehealth Providers
Use Zoom for Healthcare or Zoom Enterprise with BAA. Generate unique meeting IDs for each patient. Enforce waiting rooms. Disable public chat. Consider end-to-end encryption for sensitive sessions. Train clinicians on secure video practices. Document your risk analysis covering Zoom specifically.
Healthcare SaaS Companies (Business Associates)
If you build software that uses Zoom's SDK or API to handle PHI, you are a business associate yourself. You need your own BAA with covered entities that use your platform, and you need Zoom's BAA on the backend. Configuration and logging must flow through to your customers' compliance programs. See HIPAA compliance for SaaS startups.
Hospitals and Health Systems
Zoom Enterprise with BAA, integrated into your EHR where possible, managed through your identity provider with SSO and MFA, monitored through your SIEM. Apply centralized configuration policies and audit them quarterly.
Mental Health and Behavioral Health Providers
All of the above plus special attention to 42 CFR Part 2 if you handle substance use disorder records. Part 2 has stricter consent requirements than HIPAA baseline. Verify Zoom's BAA and your processes accommodate Part 2 when applicable.
Small Practices and Solo Providers
Small therapy practices, solo dental offices, and independent telehealth providers often wonder if Zoom is HIPAA compliant at their scale. The answer is yes, with a qualifying paid plan and signed BAA. A solo practitioner can get Zoom for Healthcare for a reasonable monthly cost, sign the BAA in days, and operate compliantly. The common mistake is using a $15/month personal Pro plan instead of the qualifying tier.
General Business with Incidental PHI
If you are not a covered entity but occasionally discuss PHI in business conversations (for example, a legal firm representing healthcare clients), you still need a BAA with Zoom. Operate under the same configuration requirements as clinical users.
Breach Scenarios and HIPAA Exposure
Even with everything configured correctly, breaches happen. Here is how the most common Zoom-related breach scenarios map to HIPAA obligations.
Unauthorized participant joins a clinical session. Potential breach if PHI was discussed. Breach notification obligations may apply. Investigate, document, and determine breach status within 60 days.
Cloud recording accessed by unauthorized user. Breach. Determine scope of exposure, notify affected individuals, HHS, and potentially media if over 500 individuals affected.
Zoom account credentials stolen. Potential breach. Depends on what activity occurred with the compromised credentials. Rotate credentials immediately and investigate session logs.
Accidentally sharing screen with PHI visible. Breach if unauthorized viewers saw PHI. Determine scope, document, and follow breach notification rules.
Zoom itself suffers a security incident. Zoom must notify you under the BAA. You then evaluate whether your PHI was involved and handle downstream notifications.
HIPAA breach notification rules are specific and time-bound. See our guide on what counts as a HIPAA breach.
Fast Answers for Busy Practices
Q: Is Zoom HIPAA compliant for a solo therapist? A: Yes. A solo practice can use Zoom for Healthcare with a signed BAA. The monthly cost is affordable for small businesses, and setup takes less than a week.
Q: Is Zoom HIPAA compliant for a small dental office? A: Yes, on Zoom for Healthcare or Zoom Business Plus with a BAA. Small businesses use this exact setup regularly for remote consultations.
Q: Do I need a lawyer to sign the Zoom BAA? A: Most small businesses sign the standard Zoom BAA without legal review. Larger organizations with negotiated terms should involve counsel.
Frequently Asked Questions
Is Zoom's free plan HIPAA compliant?
No. The free plan does not support a BAA. Never use free Zoom with patients or any PHI interaction.
Do I need Zoom for Healthcare, or is Enterprise enough?
Both can be HIPAA compliant with a BAA. Zoom for Healthcare has clinical-specific defaults and features that reduce configuration work. Zoom Enterprise is more general-purpose but can be configured for HIPAA use.
Can I use Zoom Pro if I sign the BAA?
Zoom only offers BAAs on qualifying plans, typically Enterprise, Business Plus, or Healthcare tiers. Pro and Business plans generally do not qualify. Confirm with your Zoom representative for current eligibility.
Are Zoom recordings HIPAA compliant?
Cloud recordings can be HIPAA compliant when stored in Zoom's encrypted cloud with access controls configured. Local recordings depend on the security of the device storing them.
Does the Zoom BAA cover Zoom Phone?
Yes, Zoom Phone can be included in the BAA for enterprise healthcare customers. Verify coverage explicitly in your signed agreement.
Is end-to-end encryption required for HIPAA?
Not explicitly. HIPAA requires encryption in transit and at rest. End-to-end encryption exceeds the baseline and is recommended for highest-sensitivity sessions, though it disables some collaboration features.
How do I verify Zoom is actually HIPAA compliant for my account?
Request a countersigned copy of the BAA from Zoom, review your subscription tier, and document your configuration against Zoom's published HIPAA configuration guide. All three should be in your compliance records.
Can patients join Zoom calls from any device?
Yes, patients can join from consumer devices. Your HIPAA obligations cover your side of the call. Patients are not required to have BAAs themselves, but advise them on device security as part of informed consent for telehealth.
Bottom Line
The answer to "is Zoom HIPAA compliant" is nuanced. Is Zoom HIPAA compliant in its free or Pro tiers? No. Is Zoom HIPAA compliant with the right plan and configuration? Yes. Zoom is a legitimate HIPAA-compliant option for telehealth and healthcare communication, but only on qualifying paid plans with a signed BAA and proper configuration. Free Zoom is a non-starter for any PHI use. Default settings on paid plans are not enough. You must actively configure Zoom for HIPAA use, train your workforce, and maintain the broader compliance program that HIPAA requires.
If you are evaluating video platforms for a healthcare organization, Zoom, Microsoft Teams, and Google Meet are all capable of HIPAA compliance with the right tier and configuration. The choice typically comes down to existing technology stack, EHR integration needs, and clinical workflow requirements.
For the broader HIPAA program, start with our HIPAA compliance guide and work through the HIPAA Security Rule safeguards checklist next.
Sources: HIPAA Privacy Rule (45 CFR Part 164), HIPAA Security Rule (45 CFR Part 164 Subpart C), Zoom HIPAA Compliance Guide, HHS Office for Civil Rights enforcement data.
