A Psychiatrist Hit "Start Meeting" and Everything Went Wrong

A behavioral health provider in the Midwest was using Zoom for patient sessions throughout 2023. The sessions were convenient. Patients loved them. But the provider never signed a Business Associate Agreement with Zoom, never disabled cloud recording properly, and never trained staff on what settings to lock down.

When a former employee reported the practice to HHS, the investigation uncovered months of session recordings sitting in a standard Zoom cloud — not the HIPAA-compliant environment. Protected health information for over 500 patients was potentially exposed. The practice faced an OCR investigation and significant remediation costs.

So — is Zoom HIPAA compliant? The short answer is that Zoom can be HIPAA compliant. But the tool alone doesn't make you compliant. You do.

Is Zoom HIPAA Compliant Out of the Box? No.

This is the question I get more than almost any other from clinicians and practice managers. They assume that because Zoom offers a healthcare plan, they're covered. They're not — at least not automatically.

HIPAA doesn't certify software. No app, platform, or tool is "HIPAA compliant" by default. The law places obligations on covered entities and their business associates. Zoom is a business associate when it handles ePHI on your behalf. That means two things must happen before you use it for anything involving patient information.

First, you need a signed Business Associate Agreement (BAA) with Zoom. Second, you must configure the platform according to HIPAA requirements. Skip either step and you're exposed — legally, financially, and reputationally.

Zoom's Healthcare Plans vs. Standard Plans

Zoom offers specific plans designed for healthcare organizations — currently branded under Zoom Workplace for Healthcare. These plans include the option to execute a BAA and offer features like encrypted cloud storage that meets HIPAA standards. The standard Zoom plan that your cousin uses for book club? That's not the same product.

I've seen organizations burn themselves by assuming their existing Zoom Business license qualifies. It doesn't. You need the healthcare-specific tier, and you need to actually sign the BAA through Zoom's admin portal. Zoom makes the BAA available, but they don't force you to execute it.

The BAA Is the Non-Negotiable First Step

Under the HIPAA Privacy Rule and Security Rule, any vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity must sign a BAA. The HHS Office for Civil Rights has made this abundantly clear through enforcement. In 2023, OCR settled with MedEvolve, Inc. for $350,000 after an investigation revealed PHI had been accessible on the internet — and the underlying business associate relationship lacked proper safeguards.

Without a BAA, Zoom has no legal obligation to protect your patients' data under HIPAA. If there's a breach, you bear the full weight of OCR's enforcement. Zoom walks away. You can review OCR's guidance on business associate obligations directly at HHS.gov's Business Associate page.

What Zoom's BAA Actually Covers

Zoom's BAA covers the specific products and features listed in the agreement — typically Zoom Meetings, Zoom Phone, and Zoom Team Chat when used within the healthcare plan. It does not cover every Zoom product. Third-party apps, marketplace integrations, and features outside the BAA scope are your liability. Read the BAA carefully. I mean line by line.

Configuration Mistakes That Create Real HIPAA Violations

Signing the BAA is step one. Step two is where most organizations fumble. Zoom has dozens of settings, and the default configuration is not hardened for HIPAA compliance.

Here's what I've seen go wrong in actual audits and risk assessments:

  • Cloud recording left enabled for all users. Recordings of patient sessions stored without proper access controls create massive ePHI exposure. Disable cloud recording unless you have a documented, HIPAA-compliant workflow for it.
  • Waiting rooms and passcodes not enforced. Without these, unauthorized individuals can join sessions. That's a potential impermissible disclosure of PHI.
  • Chat transcripts auto-saved. If Zoom saves chat logs that contain patient information to a non-compliant location, you have a breach scenario on your hands.
  • File transfer enabled in meetings. Staff sharing clinical documents through Zoom's file transfer feature may be sending ePHI through channels you haven't secured.
  • Personal Zoom accounts used for work. This is shockingly common. A clinician uses their personal Zoom — no BAA, no configuration, no compliance.

Every one of these is preventable with proper HIPAA training for remote healthcare workers.

What About Zoom on Mobile Devices?

Here's where things get even more complicated. Your staff are joining Zoom calls from iPhones, Android tablets, and personal laptops. Each of those devices is a potential ePHI access point — and each one needs to be secured under your HIPAA Security Rule policies.

Mobile devices introduce risks that the desktop app doesn't. Screen lock policies, device encryption, app update management, and the possibility of someone joining a patient session from a coffee shop on public Wi-Fi — these are all real threats I've encountered during risk assessments.

Your workforce needs specific training on handling PHI through mobile platforms. Our Mobile Devices & PHI training covers exactly these scenarios, including how to configure Zoom securely on personal and company-owned devices.

How to Make Zoom HIPAA Compliant: The Exact Checklist

If you're asking "is Zoom HIPAA compliant" because you're trying to figure out what your organization needs to do, here's the practical roadmap I walk clients through:

  • Upgrade to Zoom's healthcare plan. Confirm the plan supports BAA execution.
  • Sign the BAA. Do this through the Zoom admin portal before any patient interaction takes place on the platform.
  • Disable cloud recording by default. If you need recordings, establish a documented policy with encryption and access controls.
  • Enforce waiting rooms and meeting passcodes. Set these at the admin level so individual users can't override them.
  • Disable file transfer and auto-save chat. Unless you've built compliant workflows around these features.
  • Require authentication for meeting participants. No anonymous join links for clinical sessions.
  • Train every staff member who touches Zoom. Not just clinicians — administrative staff, billing coordinators, anyone who might be on a call where PHI is discussed.
  • Document everything in your risk assessment. OCR wants to see that you identified telehealth as a risk vector and implemented safeguards.

OCR Is Watching Telehealth Closely in 2026

The telehealth enforcement discretion that HHS exercised during the COVID-19 public health emergency ended in 2023. Since then, OCR has returned to full enforcement of HIPAA requirements for telehealth platforms. The grace period is over.

In February 2024, OCR announced a settlement with Montefiore Medical Center for $4.75 million following insider data theft — a case that underscored how workforce access controls and monitoring are critical HIPAA safeguards. While not a telehealth case specifically, it reinforced OCR's focus on how organizations manage access to ePHI across all channels. You can track OCR's enforcement actions at HHS.gov's Enforcement page.

If your organization is using Zoom for telehealth in 2026 without a BAA and proper configuration, you are operating in direct violation of the HIPAA Security Rule. It's not a gray area. It's a documented, enforceable gap.

Remote Staff Need More Than a Zoom Login

The biggest blind spot I encounter isn't technical. It's human. Organizations hand staff a Zoom license and assume compliance follows. It doesn't.

Remote and hybrid workers need targeted training on protecting PHI in home environments. Where are they taking calls? Who else is in the room? Is their home Wi-Fi encrypted? Are they using a shared family computer?

These aren't hypothetical concerns. They're the exact questions OCR investigators ask during breach investigations. Our Working from Home & PHI course addresses every one of them with practical, scenario-based lessons your staff will actually remember.

The Real Answer to "Is Zoom HIPAA Compliant?"

Zoom is a tool. It can support HIPAA compliance — but only when your organization does the work. That means signing the BAA, configuring settings properly, training your workforce, and documenting it all in your risk assessment.

The platform doesn't make you compliant. Your policies, your people, and your ongoing vigilance do. Treat Zoom like any other business associate relationship: verify, document, monitor, and retrain regularly.

If you haven't reviewed your Zoom configuration against HIPAA requirements this year, today is the day. And if your staff haven't completed HIPAA training specific to remote work and telehealth, explore the full course catalog at HIPAACertify.com to close that gap before OCR closes it for you.