TL;DR

• Zoom and HIPAA Compliance: Zoom has implemented security features to meet HIPAA standards but requires proper configuration for healthcare organizations to use it in compliance with HIPAA, especially for handling PHI.
• Business Associate Agreement (BAA): Zoom is willing to sign a BAA with healthcare organizations, a critical step for ensuring HIPAA compliance. 
• Storing PHI in Zoom: Zoom is used primarily for video communication and messaging, so requires proper configuration and controls to comply with HIPAA standards.
• Risk of PHI Leakage: Despite robust security measures, the risk of PHI leakage exists in Zoom. This can happen through accidental sharing during meetings or unauthorized access.
• Strac Zoom DLP: Strac's DLP solution for Zoom enhances security and compliance by ensuring sensitive information is identified and remediated in real-time during Zoom communications, enforcing compliance measures whilst mitigating insider threats.

Is Zoom HIPAA Compliant?

Zoom is a popular video conferencing application that is used by organizations operating in various sectors, including healthcare. To meet the Health Insurance Portability and Accountability Act (HIPAA) standards, Zoom has implemented several security features that align with HIPAA compliance.

However, Zoom must be properly configured to ensure healthcare organizations use of the application complies with HIPAA rules, especially when it comes to handling electronic Protected Health Information (PHI).

Will Zoom Sign a Business Associate Agreement?

To comply with HIPAA, third-party vendors must have a Business Associate Agreement (BAA) in place with their customers. The agreement outlines the responsibilities of both parties in safeguarding PHI. 

Yes, Zoom is willing to sign a BAA with healthcare organizations. Zoom began offering a business associate agreement to organizations in the healthcare industry in early 2022.

Signing a BAA is a crucial step towards ensuring HIPAA compliance.

Can You Store Protected Health Information in Zoom?

Yes. It is possible to use Zoom to handle Protected Health Information, provided your organization configures the application to support HIPAA compliance.

While Zoom primarily facilitates video communications and does not store PHI in the same way that a record-keeping application would, participants might share sensitive data during virtual meetings, such as; financial records, personal information or PHI. 

Without proper controls, this information can be exposed to unauthorized participants or leaked outside the organization. Therefore, to fully comply with HIPAA standards, many organizations choose a more convenient and manageable solution to prevent data breaches and compliance violations. Some solutions offer strict security measures while maintaining user-friendly functionality for a smooth Zoom experience.

Can PHI or Patient Data Be Leaked from Zoom?

Even after properly configuring Zoom for HIPAA compliance, there is always a risk of PHI being leaked.

Despite Zoom's robust security measures, participants in a video conferencing session might accidentally share sensitive information. Unauthorized access to video conferences is another potential vulnerability. It's crucial for healthcare organizations to train their staff on the appropriate use of Zoom and to apply all necessary configurations to minimize these risks.

Organizations can safeguard ePHI by adopting feature-rich Data Loss Prevention (DLP) solutions that add a definitive layer of security to video conferencing applications, such as Zoom.

How Does Strac Protect Zoom Against Data Leaks?

Strac Zoom DLP is a data loss prevention software offering features around content analysis, compliance enforcement, and mitigation of insider threats.

Zoom DLP facilitates secure collaboration, promotes user education, and integrates with wider organizational data protection strategies to enhance security and compliance in all Zoom communications.

Here’s how Strac keeps your organization's Zoom communications and sensitive data secure at all times:

• Implementing Content Analysis and Filtering: Zoom DLP analyzes the content shared during Zoom meetings and in chats in real-time, identifies sensitive information based on predefined policies and rules, and remediate the sensitive information via redaction or deletion of that sensitive data. Further details can be found in the developer documentation.
• Enforcing Compliance Measures: Zoom DLP helps enforce compliance with various regulations by ensuring that only authorized data is shared during meetings and that any sharing is logged and auditable. This includes redaction features to anonymize sensitive information before it is shared.
• Mitigating Insider Threats: By monitoring data shared on Zoom, Strac DLP will detect and prevent unauthorized disclosures by insiders, whether malicious or accidental. This includes tracking file uploads and messages sent through Zoom's chat feature. Discover more through our range of DLP integrations.
• Facilitating Secure Collaboration: Zoom DLP enables secure collaboration within Zoom by ensuring that only approved information is shared with external parties. Policies can be configured to restrict sharing based on user roles, meeting settings, or the sensitivity of the data.
• Promoting User Education: Strac Zoom DLP provides immediate feedback to users attempting to share sensitive information, educating them on data protection policies and reducing accidental data leaks. Learn more by exploring the catalog of sensitive data elements.
• Integrating with Organizational Policies: Zoom DLP can be integrated with broader organizational data protection strategies, ensuring consistency across all communication channels. This includes alignment with existing DLP policies for email, customer support, Slack, MS Teams, Jira, Confluence, ChatGPT, cloud storage like AWS S3, and other platforms.

For more on how Strac helps organizations bring their use of 3rd-party applications like Zoom into full compliance with HIPAA standards, see our guide to HIPAA Compliance. 

See the Strac catalog of configurable sensitive data elements. Book a free 30-minute demo to learn more about our DLP solutions.