Back to blog home
Zoom works great for a lot of things. Sharing protected health information with patients probably shouldn’t be one of them. At least not without some important caveats.
Since the pandemic, plenty of healthcare providers have defaulted to Zoom for video calls because their patients already knew how to use it. That’s a reasonable instinct. The standard version of Zoom, though, was built for convenience, not compliance, and using it for patient care without the right setup is a HIPAA violation waiting to happen.
Here’s what you actually need to know.
The short answer
Zoom can be HIPAA compliant, only under specific conditions. You need Zoom for Healthcare, a signed Business Associate Agreement, and proper configuration across your organization. Without all three, you’re not covered.
The standard free or Pro plans don’t offer a BAA. No BAA means no legal framework for handling protected health information. Full stop.
What Zoom for Healthcare actually gets you
The healthcare-specific plan adds meaningful security on top of Zoom’s standard features: AES-256 end-to-end encryption, role-based access controls, waiting rooms, passcode protection, and HIPAA-compliant cloud storage. It also integrates with Epic, which matters if your team lives in that system.
That’s a real feature set. For large organizations already invested in Zoom across their operations, upgrading to the healthcare plan is a reasonable path.
Signing up for the right plan is the beginning, not the end, though. Your organization still has to configure meetings correctly, train staff on what they can and can’t share, control access to recordings, and secure every device that touches the platform. HIPAA compliance is shared responsibility, and Zoom will tell you that explicitly in the BAA.
A reason for caution
In 2020, over 500,000 Zoom accounts were compromised and sold. Zoom’s ubiquity makes it a consistent target. Live transcription, file sharing, and screen sharing are all convenient features that become liability risks if access isn’t locked down. Convenience and compliance don’t always travel together.
Is there a simpler path?
For providers who want HIPAA-compliant video visits without building a security configuration from scratch, platforms built specifically for healthcare are worth a look. OhMD includes secure messaging, video visits, and digital intake in one place. Patients join from a text link with no app download required. Doxy.me is another browser-based option with a simple interface. Microsoft Teams and Cisco Webex both offer enterprise-grade healthcare configurations if you’re already in those ecosystems.
The bottom line
Zoom for Healthcare can absolutely meet HIPAA standards. “Can” is doing a lot of work in that sentence, though. If your organization has the IT infrastructure to configure it properly and train staff consistently, it’s a viable option. If you’re looking for a simpler route, look for something that works securely out of the box. A dedicated healthcare communication platform will get you there faster and with less risk.
