Reviewed by the Security Compliance Guide Editorial Team, 2026-06-23.
Is Zoom HIPAA Compliant? Telehealth and Business Use (2026)
Zoom has become the default video conferencing platform for healthcare providers, therapists, and telehealth startups. But whenever protected health information enters a video call, the compliance question follows: does this platform meet HIPAA requirements? That question applies whether you are a solo therapist, a small clinic, a mid-market SaaS healthcare startup, or an enterprise hospital, and the answer varies depending on which Zoom product you use and how you configure it.
This guide covers which Zoom plans support a Business Associate Agreement, what HIPAA-specific configuration is required, common violations, and how Zoom compares to alternatives. A free Zoom account cannot be made HIPAA compliant regardless of settings. The right plan, correctly configured, can be.
The Short Answer
Yes, Zoom can be HIPAA compliant, but only with a paid plan that includes a Business Associate Agreement (BAA) and only when configured correctly. The free Zoom product does not qualify. Standard paid plans do not automatically qualify either. You need Zoom for Healthcare, Zoom Enterprise with a signed BAA, or an equivalent qualifying tier.
Any organization using Zoom to discuss, collect, or transmit protected health information (PHI) must sign a BAA with Zoom. You also need to implement HIPAA-specific administrative and technical safeguards.
Run this checklist before any clinical use of Zoom in your organization:
- Confirm your Zoom plan is Business Plus, Enterprise, or Zoom for Healthcare
- Request and sign the Zoom Business Associate Agreement (BAA)
- Disable cloud recording or configure encrypted, access-controlled recording
- Enforce waiting rooms and unique meeting IDs for every patient session
- Restrict screen sharing, public chat, and file transfer
- Train clinical staff on HIPAA-compliant video use
- Document Zoom in your HIPAA risk analysis and vendor risk program
What HIPAA Requires from Video Conferencing Vendors

Before we look at Zoom specifically, here is what HIPAA requires from any vendor that handles PHI on your behalf.
A Business Associate Agreement. Under the HIPAA Omnibus Rule (2013), any vendor that handles PHI for a covered entity is a business associate. You must sign a BAA with that vendor before PHI changes hands.
Technical safeguards. Encryption in transit and at rest, access controls, audit logging, and automatic logoff are all required under the HIPAA Security Rule.
Administrative safeguards. Workforce training, access management, incident response, and periodic security evaluation. These are your responsibility, but the vendor must support them with appropriate features.
Physical safeguards. Data center security, device management, and media disposal. Cloud vendors handle most of this for you.
Breach notification. The vendor must notify you of any breach affecting your PHI within 60 days at the latest, and often sooner depending on your BAA terms.
For the full framework, see our HIPAA compliance guide and HIPAA Security Rule safeguards.
Which Zoom Products Are HIPAA Compliant?
Not all Zoom products are eligible for HIPAA compliance. The table below maps Zoom plan tiers to BAA availability and HIPAA eligibility [Source: Zoom Trust Center, HIPAA, https://zoom.us/en/trust/hipaa/]:
| Zoom Plan | BAA Available? | HIPAA Compliant With Configuration? |
|---|---|---|
| Zoom Free | No | No |
| Zoom Pro | No | No |
| Zoom Business | Usually no | No |
| Zoom Business Plus | Yes on request | Yes, with BAA + configuration |
| Zoom Enterprise | Yes | Yes, with BAA + configuration |
| Zoom for Healthcare | Yes (default) | Yes, with configuration |
Zoom for Healthcare. Zoom's dedicated healthcare plan. Designed specifically for HIPAA compliance. Includes a BAA by default, waiting room enforcement, end-to-end encryption options, enhanced session security, EHR integration hooks, and business associate terms built into the master agreement.
Zoom Enterprise with BAA. Zoom Enterprise customers can request a signed BAA. This brings Zoom into HIPAA scope for your organization. Configuration is not automatic. You must disable cloud recording or enable HIPAA-specific recording controls, restrict meeting features that expose PHI, and train users.
Zoom Phone with BAA. Zoom Phone is available under a BAA for enterprise healthcare customers. Voice calls containing PHI require the same treatment as video.
Zoom Contact Center with BAA. The contact center product can be included in the BAA for healthcare organizations using it for patient support.
Zoom Team Chat. Zoom's chat functionality is covered under the BAA on qualifying plans. You should still avoid exchanging raw PHI in chat messages when possible.
Zoom Free, Zoom Pro, Zoom Business. These lower tiers do not support BAAs by default. Do not use them for any communication involving PHI. Even if your configuration looks secure, the lack of a BAA means you are violating HIPAA the moment PHI touches the call.
The Zoom Business Associate Agreement
The BAA is the contractual foundation of HIPAA compliance with Zoom. Here is what to know about the Zoom BAA specifically.
How to get one. Healthcare and Enterprise customers can request a BAA by contacting Zoom's compliance team or their account representative. The BAA is issued as an addendum to the master services agreement.
What it covers. Permissible uses and disclosures of PHI, safeguards Zoom agrees to implement, breach notification obligations, return or destruction of PHI at contract end, and subcontractor requirements.
What it does not cover. The BAA does not make your organization compliant. You still carry all HIPAA obligations on your end. The BAA only addresses the vendor relationship.
Subcontractor language. Zoom uses subprocessors for hosting, support, and some features. The BAA requires Zoom to maintain BAAs with those subprocessors. Review Zoom's current subprocessor list during your vendor risk assessment.
Termination and data return. At contract end, Zoom must return or destroy PHI in their possession. Document your termination procedures so this is smooth if you ever switch vendors.
For a deeper look at BAA obligations, see our HIPAA Business Associate Agreement guide.
HIPAA-Specific Zoom Configuration

Signing the BAA is step one. Configuring Zoom correctly is step two. A HIPAA-enabled Zoom account without proper settings can still create compliance violations.
Disable cloud recording unless encrypted and access-controlled. Cloud recordings of telehealth sessions contain PHI by definition. If you record, use encrypted cloud recording with strict access controls, or disable cloud recording entirely and require local recording on managed devices.
Enforce waiting rooms. Prevents unauthorized participants from joining sessions. Essential for patient privacy.
Restrict screen sharing. Limit screen sharing to hosts and approved presenters. An unattended screen share can expose PHI to other meeting participants.
Disable public chat or restrict to hosts. Chat messages during a meeting can contain PHI. Disable public chat or limit it to host-to-host communication.
Enable end-to-end encryption for sensitive sessions. End-to-end encryption (E2EE) is available for Zoom meetings but disables some features like cloud recording. Use it for highest-sensitivity telehealth sessions.
Require meeting passwords and unique meeting IDs. Do not use personal meeting IDs for patient sessions. Generate a unique meeting ID for each patient to prevent session crossover.
Configure automatic meeting locks. Lock meetings automatically once the expected participants join.
Enforce strong authentication. Require SSO or multi-factor authentication for all clinical staff. Service account credentials are not acceptable.
Disable file transfer. The meeting file transfer feature can leak PHI-containing documents. Disable unless operationally necessary.
Set session timeouts. Automatic logoff after inactivity is required under the HIPAA Security Rule.
Configure audit logging. Enable dashboard and audit log features. You need evidence of who joined which meetings and what actions they took.
Common HIPAA Violations with Zoom
The following violation patterns are drawn from published HHS Office for Civil Rights enforcement actions [Source: HHS OCR Enforcement Highlights, https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html] and OCR guidance on video conferencing and telehealth issued during and after the COVID-19 public health emergency.
OCR enforcement has repeatedly cited three root causes in telehealth-related breaches: failure to execute BAAs with technology vendors before PHI is transmitted; insufficient workforce training on secure video use; and failure to conduct or update risk analyses after adding new communication tools. The 2024 HIPAA Security Rule NPRM (89 Fed. Reg. 25054) proposed tightening these requirements, signaling increased scrutiny of video conferencing controls. Organizations should treat the patterns below as live enforcement risk, not theoretical.
Using a free or Pro account with patients. No BAA means every PHI interaction is a violation regardless of technical settings. This remains the most prevalent error OCR encounters in telehealth complaint investigations.
Recording sessions to personal Dropbox or Google Drive. Even if Zoom is properly configured, uploading recordings to a non-BAA cloud storage provider creates an independent HIPAA violation. OCR has cited this in several resolution agreements where organizations had a compliant primary platform but unsecured secondary storage.
Using personal meeting IDs. Patients joining the wrong meeting because staff reused personal IDs across appointments creates direct PHI exposure to unauthorized individuals.
Sharing meeting links in unsecured emails. Meeting links forwarded through non-encrypted email expose session access to third parties.
Discussing PHI in pre-meeting small talk. Staff discussing patient details before the patient joins, while another participant with meeting access is already connected.
Unattended screen shares. Clinical staff sharing their screen and failing to close an open EHR or patient chart before the meeting begins.
Inadequate workforce training. Staff who never received HIPAA training on video conferencing. This is a required administrative safeguard under 45 CFR § 164.308(a)(5). Training deficiencies are a consistently cited root cause in OCR enforcement actions across the 2022-2024 period, as reflected in published resolution agreements available at the HHS OCR enforcement database.
Failure to conduct risk analysis. The HIPAA Security Rule requires a documented risk analysis covering all systems handling PHI, including video conferencing tools. Many organizations add Zoom without updating their risk analysis. See our HIPAA risk assessment guide.
Missing audit logs. Treating Zoom as a black box without reviewing access logs. Required for incident response and breach investigation under 45 CFR § 164.312(b).
Using Zoom across state lines without licensure consideration. Separate from HIPAA but consistently bundled with telehealth audits. Verify state telemedicine licensure requirements independently.
Zoom vs Other HIPAA-Compliant Video Platforms
Zoom is not the only HIPAA-capable video platform. The compliance question is rarely which platform is "most HIPAA compliant", all the major platforms can meet the HIPAA baseline with the right tier and BAA. The practical differences between them come down to three factors: how much configuration work is required out of the box, how deeply they integrate with clinical workflow tools like EHRs, and what happens to your compliance posture when staff use the platform for general business meetings alongside clinical ones.
Microsoft Teams. HIPAA compliant with BAA on qualifying Microsoft 365 plans (including E3, E5, and Microsoft Cloud for Healthcare, verify current plan eligibility with Microsoft). EHR integration capabilities for Epic and Cerner are available under Microsoft Cloud for Healthcare. The compliance-relevant advantage over Zoom is that Teams integrates natively into Microsoft's broader security and compliance ecosystem (Purview, Defender, Entra ID), which means audit logging, DLP policies, and conditional access apply uniformly to Teams calls without separate configuration. Downside: less familiar to patients than Zoom, and the admin surface is larger. See Is Microsoft 365 HIPAA compliant.
Doxy.me. Purpose-built for healthcare telehealth. HIPAA-compliant defaults require less configuration than Zoom. The trade-off: it is a clinical-only tool, so organizations using a single platform for clinical and business communication will need a separate general video tool anyway. Best suited for solo and small-group practices with no general business video need.
Google Meet (Workspace for Healthcare). HIPAA compliant under Google Workspace for Healthcare with BAA. The compliance difference from Zoom is minimal. The practical difference is integration: if your organization already uses Google Workspace (Gmail, Drive, Calendar), Meet brings video into the same BAA and audit framework automatically. Fewer clinical-specific features than Zoom for Healthcare, but lower switching cost for Google-native organizations. See Is Google Workspace HIPAA compliant.
Webex Healthcare. Cisco's HIPAA-capable platform, with stronger native SIEM integration than Zoom or Teams for large health systems already using Cisco infrastructure. Higher deployment overhead and typically requires an IT-led rollout. Not practical for small or mid-size practices.
Updox, SimplePractice, TheraNest, Dentrix. Vertical-specific telehealth platforms for therapy, dental, and specialty practices. These embed video inside an integrated billing, scheduling, and EHR workflow, which eliminates the BAA-configuration-training overhead that general-purpose platforms like Zoom require. The trade-off is inflexibility: they do not replace general business video conferencing. For small practices where every patient interaction happens inside the platform, these are often lower total compliance risk than Zoom even though Zoom's HIPAA capability is technically equivalent.
Bottom line on platform selection: Zoom wins on ubiquity and patient familiarity, which is a real compliance benefit, patients who know how to join a Zoom call are less likely to resort to insecure workarounds (phone callbacks, text, personal email). Microsoft Teams wins on enterprise security integration. Purpose-built clinical tools win on compliance simplicity for single-specialty practices. Configuration work is the key differentiator: Zoom for Healthcare ships closer to compliant defaults than standard Zoom Enterprise, making it the lower-risk choice when your team's HIPAA configuration rigor is uncertain.
Is Zoom HIPAA Compliant in Practice?

Is Zoom HIPAA Compliant Enough for Full HIPAA Compliance?
No single vendor makes your organization HIPAA compliant. Zoom can be one HIPAA-capable piece of your compliance program. You still need the rest.
Policies and procedures. Written HIPAA policies covering video conferencing use, incident response, access management, and workforce training.
Workforce training. Annual HIPAA training for every employee who touches PHI, with documented completion. See HIPAA training requirements.
Risk analysis and management. Documented risk analysis covering Zoom and every other system handling PHI. Risk management plan with ongoing monitoring.
Incident response. Documented incident response plan with specific procedures for video conferencing incidents.
Audit controls. Regular review of Zoom logs, access reports, and unusual activity.
Vendor risk management. Annual vendor risk assessment of Zoom and your other HIPAA business associates.
Physical security. Device management for endpoints used to access Zoom. Encryption at rest on laptops used by clinical staff.
For a complete compliance framework, see our HIPAA compliance guide.
Zoom HIPAA Compliance for Specific Use Cases
Telehealth Providers
Use Zoom for Healthcare or Zoom Enterprise with BAA. Generate unique meeting IDs for each patient. Enforce waiting rooms. Disable public chat. Consider end-to-end encryption for sensitive sessions. Train clinicians on secure video practices. Document your risk analysis covering Zoom specifically.
Healthcare SaaS Companies (Business Associates)
If you build software that uses Zoom's SDK or API to handle PHI, you are a business associate yourself. You need your own BAA with covered entities that use your platform, and you need Zoom's BAA on the backend. Configuration and logging must flow through to your customers' compliance programs.
One frequently overlooked obligation for healthcare SaaS companies: the FTC Health Breach Notification Rule (16 CFR Part 318), as expanded by the FTC's 2024 amendments, applies to vendors of personal health records and related services that are not covered entities under HIPAA [Source: FTC Health Breach Notification Rule, https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule]. If your platform handles consumer health data and is not strictly a HIPAA business associate, you may have dual FTC notification obligations in addition to any HIPAA breach reporting. This distinction matters for telehealth SaaS companies operating direct-to-consumer alongside B2B healthcare clients.
See HIPAA compliance for SaaS startups.
Hospitals and Health Systems
Zoom Enterprise with BAA, integrated into your EHR where possible, managed through your identity provider with SSO and MFA, monitored through your SIEM. Apply centralized configuration policies and audit them quarterly.
Mental Health and Behavioral Health Providers
All of the above plus attention to 42 CFR Part 2 if you handle substance use disorder records. Part 2 was substantially revised by the 2024 Final Rule (published March 28, 2024, effective February 2025) [Source: SAMHSA, https://www.samhsa.gov/about-us/who-we-are/laws-regulations/confidentiality-regulations-faqs]. The 2024 rule aligns Part 2 more closely with HIPAA for treatment, payment, and health care operations disclosures, but retains stricter patient consent requirements for other disclosures, including some operational sharing. Verify that your Zoom BAA and consent workflows account for Part 2 obligations if your patient population includes substance use disorder treatment.
Small Practices and Solo Providers
Small therapy practices, solo dental offices, and independent telehealth providers often wonder if Zoom is HIPAA compliant at their scale. The answer is yes, with a qualifying paid plan and signed BAA. A solo practitioner can get Zoom for Healthcare, sign the BAA in days, and operate compliantly. The common mistake is using a personal Pro plan, which does not qualify for a BAA, instead of moving to a qualifying tier.
General Business with Incidental PHI
If you are not a covered entity but occasionally discuss PHI in business conversations (for example, a legal firm representing healthcare clients), you still need a BAA with Zoom. Operate under the same configuration requirements as clinical users.
Breach Scenarios and HIPAA Exposure
Even with everything configured correctly, breaches happen. Here is how the most common Zoom-related breach scenarios map to HIPAA obligations.
Unauthorized participant joins a clinical session. Potential breach if PHI was discussed. Breach notification obligations may apply. Investigate, document, and determine breach status within 60 days.
Cloud recording accessed by unauthorized user. Breach. Determine scope of exposure, notify affected individuals, HHS, and potentially media if over 500 individuals affected.
Zoom account credentials stolen. Potential breach. Depends on what activity occurred with the compromised credentials. Rotate credentials immediately and investigate session logs.
Accidentally sharing screen with PHI visible. Breach if unauthorized viewers saw PHI. Determine scope, document, and follow breach notification rules.
Zoom itself suffers a security incident. Zoom must notify you under the BAA. You then evaluate whether your PHI was involved and handle downstream notifications.
HIPAA breach notification rules are specific and time-bound. See our guide on what counts as a HIPAA breach.
Frequently Asked Questions
Is Zoom HIPAA compliant for a solo therapist?
Yes. A solo practice can use Zoom for Healthcare with a signed BAA. Check Zoom's current pricing directly, but the administrative setup, requesting and signing the BAA, applying HIPAA configuration, is straightforward and typically completable within a few business days.
Is Zoom HIPAA compliant for a small dental office?
Yes, on Zoom for Healthcare or Zoom Business Plus with a BAA. Small practices regularly use this configuration for remote consultations and follow-ups.
Do I need a lawyer to sign the Zoom BAA?
Most small practices sign the standard Zoom BAA without legal review. Larger organizations negotiating custom terms or operating in multiple states should involve qualified counsel.
Is Zoom's free plan HIPAA compliant?
No. The free plan does not support a BAA. Never use free Zoom with patients or any PHI interaction.
Do I need Zoom for Healthcare, or is Enterprise enough?
Both can be HIPAA compliant with a BAA. Zoom for Healthcare has clinical-specific defaults and features that reduce configuration work. Zoom Enterprise is more general-purpose but can be configured for HIPAA use.
Can I use Zoom Pro if I sign the BAA?
Zoom only offers BAAs on qualifying plans, typically Enterprise, Business Plus, or Healthcare tiers. Pro and Business plans generally do not qualify. Confirm with your Zoom representative for current eligibility.
Are Zoom recordings HIPAA compliant?
Cloud recordings can be HIPAA compliant when stored in Zoom's encrypted cloud with access controls configured. Local recordings depend on the security of the device storing them.
Does the Zoom BAA cover Zoom Phone?
Yes, Zoom Phone can be included in the BAA for enterprise healthcare customers. Verify coverage explicitly in your signed agreement.
Is end-to-end encryption required for HIPAA?
Not explicitly. HIPAA requires encryption in transit and at rest. End-to-end encryption exceeds the baseline and is recommended for highest-sensitivity sessions, though it disables some collaboration features.
How do I verify Zoom is actually HIPAA compliant for my account?
Request a countersigned copy of the BAA from Zoom, review your subscription tier, and document your configuration against Zoom's published HIPAA configuration guide. All three should be in your compliance records.
Can patients join Zoom calls from any device?
Yes, patients can join from consumer devices. Your HIPAA obligations cover your side of the call. Patients are not required to have BAAs themselves, but advise them on device security as part of informed consent for telehealth.
Summary
Zoom is a legitimate HIPAA-capable option for telehealth and healthcare communication, but only on qualifying paid plans with a signed BAA and the correct configuration applied. Free Zoom and Pro cannot be used for PHI, there is no configuration workaround. Default settings on qualifying paid plans are not HIPAA-ready either. Active configuration, workforce training, and a documented compliance program are all required.
If you are evaluating video platforms for a healthcare organization, Zoom, Microsoft Teams, and Google Meet are all capable of HIPAA compliance with the right tier and configuration. The choice typically comes down to existing technology stack, EHR integration needs, and clinical workflow requirements.
For the broader HIPAA program, start with our HIPAA compliance guide and work through the HIPAA Security Rule safeguards checklist next.
Sources: HIPAA Privacy Rule (45 CFR Part 164), HIPAA Security Rule (45 CFR Part 164 Subpart C), Zoom Trust Center, HIPAA, HHS Office for Civil Rights Enforcement Highlights, HIPAA Security Rule NPRM 2024 (89 Fed. Reg. 25054), SAMHSA 42 CFR Part 2 Final Rule (2024), FTC Health Breach Notification Rule.
Last reviewed: 2026-07-01. This article was prepared by the Security Compliance Guide Editorial Team. We use AI to draft initial summaries of publicly available cybersecurity compliance documentation, then verify every claim against primary sources before publication. We are not licensed auditors, attorneys, or compliance consultants. For binding decisions, consult a qualified professional. See our editorial standards for full sourcing rules.
