The Health Insurance Portability and Accountability Act (HIPAA) is the federal law that required the creation of national standards to protect sensitive patient health information. And the question “Is Zoom HIPAA Compliant?” has been around for several years now. The answer seems to be yes for now . . .
In this Article …
Zoom and HIPAA Compliance for Telehealth
That question (Is Zoom HIPAA compliant?) gained further urgency with the expansion of telehealth services during the COVID-19 pandemic. Telehealth proved to be an attractive way for many healthcare providers to continue to offer healthcare services when face-to-face contact was a hard sell for many patients. Telehealth platforms have thrived in this environment. But the end of the flexibilities available under the Public Health Emergency (PHE) for COVID-19 is in sight. What will this mean for a web conferencing platform like Zoom?
Zoom was quick to take advantage of the expansion of services covered by Medicare, Medicaid, and other payers after the PHE declaration in March 2020. It drafted a HIPAA Compliance Guide describing how Zoom complied with the provisions of the HIPAA Security Rule. Zoom updated the guide as a HIPAA Compliance Datasheet in August 2021.
The HIPAA standards addressed in the Datasheet include the following security features standards (highlights only).
- Access Control: Data in motion is encrypted at the application layer using the Advanced Encryption Standard (AES) with a 256-bit key. Meeting access is password protected. Meeting hosts can easily remove attendees and control attendee admittance. Meetings end automatically.
- Audit Controls: Data in motion traverse Zoom’s secured and distributed infrastructure. Platform connections are logged for audio and quality of service purposes.
- Integrity: Multi-layer integration protection is designed to protect both data and service layers. Controls are in place to protect and encrypt meeting data.
- Integrity Mechanism: Data connections leverage TLS 1.2 encryption and PKI Certificates issued by a trusted commercial certificate authority.
- Person or Entity Authentication: The meeting host must log into Zoom using a unique email address and account password. Access to the desktop or window for screen sharing can be locked by the host.
- Transmission Security: Zoom employs 256-bit AES-GCM encryption for data to protect health information.
- Security and Encryption: Only members invited by account administrators can host Zoom meetings in accounts with multiple members. Each meeting has only one host who controls meeting attendance through the use of meeting IDs and passwords.
- Screen Sharing in Healthcare: Medical professionals can use Zoom to meet with patients to screen-share health records. Screen sharing transmits encrypted screen capture along with mouse or keyboard strokes only. Screen sharing cannot be recorded on a HIPAA account. It is not stored or otherwise accessible by Zoom in Zoom’s environment.
Zoom and Business Associate Agreements
Zoom also offers a business associate agreement (BAA). This is a necessary step for a healthcare provider who wants to use Zoom when protected health information (PHI) is being transmitted or discussed. The BAA also provides that chat communications may be stored on Zoom on local devices of users. Zoom states it does not maintain the encryption keys for these chat communications.
Zoom’s BAA contains the usual and customary provisions seen in BAAs. Zoom’s BAA has provisions on reporting any use or disclosure of PHI not provided for in the BAA. And the BAA also includes language on mitigating the harmful effect of disclosure of PHI in violation of the BAA. It is noteworthy that other similar services do not include such provisions.
So … is Zoom HIPAA Compliant?
The answer seems to be yes for now, but stay tuned for further developments. CMS just issued information on the elements of telehealth that will continue in place and elements that will be discontinued. One of the important changes is the planned discontinuance of reimbursement for audio-only telehealth visits. CMS’ rationale is that telehealth visits should be analogous to face-to-face visits. Audio-only visits obviously fail that test. The only exceptions will be for certain mental health services.
The Office for Civil Rights (OCR) of the U.S. Health and Human Services Office (HHS) recently issued guidance on how the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-only Telehealth. OCR issued this guidance in June 2022, in anticipation of the end of the COVID-19 PHE. It is fairly ironic that the OCR considers telephonic audio-only transmissions to be secure, while CMS is concluding that audio-only telehealth will no longer be reimbursed.
What do these changes mean for Zoom with Regard to HIPAA Compliance?
During the COVID-19 PHE, healthcare professionals could use Zoom and several other “non-public facing” platforms for telehealth services, even if the platform would not sign a business associate agreement. And, potentially even if the platform allowed for access to the ePHI content of telehealth visits by the platform vendor. As noted above, Zoom provides for encryption of the chat function between users, but it does not provide for end-to-end encryption of the video portion of the sessions.
With the return of restrictions on audio-only telehealth visits, Zoom and other platforms will no doubt be in demand.
How should healthcare providers who want to continue to provide telehealth services proceed?
Again, the guidance on audio-only telehealth services helps. The guidance reminds us that physicians, other providers, and HIPAA covered entities should incorporate their telehealth platform vendor into their HIPAA Security Rule assessments. If a vendor has access to ePHI, you need a BAA with the vendor. And since vendors are often involved in data mining for marketing purposes, make sure they do not utilize or share protected health information without patient authorization!