Is Zoom HIPAA Compliant? What Providers Need to Know (2026)

Zoom can be HIPAA compliant — but only under specific conditions. You need a qualifying paid plan (Zoom for Healthcare or Zoom Workplace Business and above), a signed Business Associate Agreement (BAA) with Zoom, and a set of security configurations applied to your account. The free plan, Zoom Basic, and standard Zoom Pro plans without the healthcare add-on do not meet HIPAA requirements. If you are using any of those to conduct patient visits, you are operating outside of compliance right now.

This matters because Zoom does not enable HIPAA-compliant settings by default. Purchasing the right plan is step one. Configuring it correctly is where most practices fail.

What Zoom Provides for HIPAA Compliance

When you are on a qualifying plan with a signed BAA, Zoom provides several controls that support HIPAA compliance for video conferencing:

Business Associate Agreement. Zoom will sign a BAA that covers Zoom Meetings, Zoom Phone, Zoom Team Chat, and Zoom Rooms when used under a qualifying plan. The BAA defines Zoom's obligations for handling protected health information (PHI) transmitted through the platform.

AES-256 GCM encryption. Zoom encrypts meeting audio, video, and screen sharing in transit using AES-256 GCM encryption. This is the same encryption standard used by financial institutions and government agencies.

Waiting rooms and passcodes. Hosts can require participants to wait in a virtual lobby before being admitted, and meetings can require passcodes to join. Both features prevent unauthorized individuals from entering a patient session.

Host controls. The host can mute participants, remove attendees, lock meetings after all participants have joined, and control screen sharing permissions. These controls reduce the risk of unauthorized disclosure during a session.

Cloud recording with encryption. If you use cloud recording, Zoom encrypts recordings at rest. Access to recordings can be restricted by role and protected with passwords.

Admin controls for data sharing. Account administrators can disable integrations, restrict file transfers, and control which features are available to users within the organization.

What Zoom Does Not Do

Zoom handles video conferencing. It does not handle HIPAA compliance. That distinction is critical, and it is where independent practices consistently get into trouble.

Zoom does not make your practice compliant. A signed BAA with Zoom covers Zoom's obligations as a business associate. It does not cover your obligations as a covered entity. You are still responsible for the full scope of the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule.

Zoom does not encrypt chat messages end-to-end by default. In-meeting chat and persistent Team Chat messages are encrypted in transit and at rest, but they are not end-to-end encrypted unless you specifically enable Zoom's E2EE feature — which disables certain functionality like cloud recording and breakout rooms.

Zoom does not monitor who accesses recordings. Zoom stores recordings and restricts access based on your settings, but it does not audit who views them, when, or how many times. That audit trail is your responsibility.

Zoom does not handle your risk assessment. The HIPAA Security Rule requires a current, thorough risk assessment covering all systems that touch ePHI — not just video conferencing. Zoom is one tool in your stack. The risk assessment covers all of them.

Zoom does not cover other tools in your workflow. Your EHR, email, file storage, messaging apps, fax service, and patient intake forms all require their own BAAs and security configurations. Zoom compliance is one line item, not the whole program.

Common Mistakes Practices Make with Zoom

These are the errors that come up repeatedly in practice — any one of them can create a compliance gap that is difficult to defend during an OCR investigation.

Using the free or basic plan and assuming it is compliant. Zoom Free and Zoom Basic do not support BAAs. Without a BAA, any PHI transmitted through the platform is an unmitigated HIPAA violation. There is no gray area here.

Not signing the BAA. Some practices purchase a qualifying plan but never execute the BAA. The BAA is not automatic — you must request it and sign it through Zoom's admin portal. Until that is done, Zoom has no contractual obligation to handle your data according to HIPAA standards.

Leaving cloud recordings accessible without access controls. Default sharing settings for cloud recordings may allow anyone with the link to view them. If a recording contains a patient session, that is unsecured PHI.

Not disabling file transfer and third-party integrations. Zoom supports file transfers in chat and integrations with dozens of third-party apps. Each integration that touches PHI requires its own BAA. If you have not vetted those integrations, disable them.

Sharing meeting links without passcodes. A meeting link without a passcode can be accessed by anyone who obtains the URL — whether through email forwarding, accidental sharing, or a compromised inbox.

Not training staff on proper use. A provider who understands the settings is not enough. Every staff member who uses Zoom for patient communication needs to know the correct procedures — how to enable waiting rooms, how to lock meetings, what not to share in chat.

Settings to Configure for HIPAA Compliance

Once you have a qualifying plan and a signed BAA, apply these settings in your Zoom admin dashboard:

• Enable waiting room — require all participants to be admitted by the host before entering the meeting. This prevents unauthorized access.
• Require meeting passcodes — set this as a default for all meetings, not just ad hoc ones. Applies to scheduled meetings, instant meetings, and meetings accessed via phone.
• Disable cloud recording unless operationally required — if you do not need recordings, turn them off. If you do, restrict access to account administrators and set recordings to require a password for viewing.
• Disable file transfer in meetings — unless you have a documented business need and the transfer mechanism is covered under your compliance program, turn this off.
• Lock meetings after all participants join — prevents additional attendees from entering once the session is underway. Particularly important for one-on-one patient visits.
• Disable third-party integrations without BAAs — review every app connected to your Zoom account. If an integration has access to meeting data, chat content, or recordings and you do not have a BAA with that vendor, disable it.
• Restrict screen sharing to host only — unless clinically necessary, prevent participants from sharing their screens to reduce the risk of accidental PHI exposure.
• Enable the "Require encryption for 3rd party endpoints" setting — ensures that SIP/H.323 room systems connecting to your meetings use encryption.

These settings should be applied at the account level by an administrator, not left to individual users.

Where Zoom Fits in Your Compliance Program

Zoom is a video conferencing tool. It handles one function in your practice's technology stack — real-time audio and video communication with patients.

HIPAA compliance is not a single tool. It is a program that covers every system, process, and person that touches protected health information. A compliant Zoom configuration addresses video conferencing. You still need:

• A current security risk assessment covering all ePHI systems — your EHR, email, file storage, messaging, and every connected device
• Written policies and procedures addressing the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule
• Workforce training that is documented, current, and covers role-specific risks
• BAA tracking for every vendor that handles PHI on your behalf — not just Zoom
• An incident response plan that your team can actually execute when something goes wrong

Zoom being properly configured is one checkbox. The compliance program is the full checklist.

Patient Protect monitors your complete compliance posture — including whether tools like Zoom are accounted for in your data flow, whether BAAs are current, and whether your risk assessment reflects your actual environment.

Frequently Asked Questions

Is Zoom Free HIPAA compliant?

No. Zoom Free does not support a Business Associate Agreement, which is a mandatory requirement under HIPAA for any vendor that handles PHI. Using Zoom Free for patient visits is a compliance violation regardless of what settings you configure.

Does Zoom sign a BAA?

Yes. Zoom signs BAAs for qualifying paid plans — Zoom for Healthcare, Zoom Workplace Business, Business Plus, and Enterprise. The BAA must be requested and executed through the Zoom admin portal. It is not applied automatically when you purchase a plan.

Can I use Zoom for telehealth visits?

Yes, if you are on a qualifying plan with a signed BAA and you have configured the security settings outlined above. Zoom for Healthcare is specifically designed for clinical use and includes features tailored to telehealth workflows.

Is Zoom end-to-end encrypted?

Zoom offers an optional end-to-end encryption (E2EE) feature, but it is not enabled by default. Standard Zoom meetings use AES-256 GCM encryption between the client and Zoom's servers. E2EE encrypts the session so that even Zoom cannot access the content, but it disables cloud recording, live transcription, and breakout rooms. For most practices, AES-256 GCM with a signed BAA satisfies the HIPAA encryption requirement.

What Zoom plan do I need for HIPAA compliance?

You need Zoom for Healthcare (a licensed add-on) or Zoom Workplace Business plan or higher. These are the plans that support BAA execution and include the administrative controls required for HIPAA compliance. Zoom Pro alone does not qualify unless the healthcare add-on is applied.

---

Patient Protect tracks your full compliance posture, including vendor BAAs and tool configurations, starting at $39/month.