Zoom Meetings for HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) lays out privacy and security standards that protect the confidentiality of patient health information. In terms of video conferencing, the solution and security architecture must, among other controls, provide end-to-end encryption and meeting access controls so data in transit cannot be intercepted.
Who Should Use?
If you interact with the following types of data, you may need to use a Zoom/HIPAA account:
- Protected Health Information (PHI) is any health information that can identify an individual, or is derived from identifiable information.
Other Protected Level 1 data types may also benefit from Zoom/HIPAA accounts:
- Financial account numbers covered by the Payment Card Industry Data Security Standard (PCI-DSS), which controls how credit card information is accepted, used, and stored.
- Controlled Unclassified Information required to be compliant with NIST 800.171.
- Data controlled by U.S. Export Control Law, such as the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR). ITAR and EAR have additional requirements.
- U.S. Government Classified Data.
Although you may not interact with PHI or other protected level 1 data types, it is still important to maintain privacy while using Zoom, see additional Zoom privacy settings.
Zoom/HIPAA accounts provide an option for times when you must discuss sensitive data while retaining the same benefits Zoom Meetings has to offer. Although being a separate environment, Zoom/HIPAA accounts are still integrated with your existing SDSUid login, eliminating the need to track additional accounts.
Zoom/HIPAA accounts offer many of the same features as regular Zoom accounts. However, your account can only exist in one Zoom instance at a time.
If you plan to use Zoom to discuss HIPAA Data, please be aware of the following differences between regular Zoom meetings and Zoom/HIPAA meetings:
|Device/User Information||Device/user logging and reporting information is removed.||Enabled||Prevent data from being transmitted to or stored on a non-compliant endpoint or environment.||Session data will not be stored.|
|Co-Host||Only users with a Zoom/HIPAA account can be set as co-hosts.||Enabled||Required by Zoom.||Hosts can only designate alternative hosts from within the same account. For example, a user in the Zoom/HIPAA account can only designate another Zoom/HIPAA user as an alternative host.|
|Encrypted Chats||All chats and text messages will be encrypted.||Enabled||End-to-End Chat Encryption allows for a secured communication where only the intended recipient can read the secured message.||With end-to-end encrypted chat enabled, users can still send files, pictures, emojis, and screenshots. However, they will not be able to use the integrated GIPHY library, edit sent messages, or search chat message history.|
|Auto-Saving Chats||Automatically save all in-meeting chats so that hosts do not need to manually save the text of the chat after the meeting starts.||Disabled||Prevent data from being transmitted to or stored on a non-compliant endpoint or environment.||Chats can be saved manually before the meeting ends.|
|Cloud Recordings||Record meetings and automatically process and store them in the cloud.||Disabled||Required by Zoom.||Automatic transcripts and automatic recording upload are unavailable.|
|Require Encryption for 3rd Party Endpoints (H323/SIP)||Zoom requires encryption for all data between the Zoom cloud, Zoom client, and Zoom Room. Require encryption for 3rd party endpoints (H323/SIP).||Mandatory||Required by Zoom.||Participants may be unable to join meetings from SIP devices.|
|File Transfer||Hosts and participants can send files through the in-meeting chat.||Disabled||Prevent data from being transmitted to or stored on a non-compliant endpoint or environment.||Participants will not be able to share files during the in-meeting chat|
|Identify Guest Participants in the Meeting/Webinar||Participants who belong to your account can see that a guest (someone who does not belong to your account) is participating in the meeting/webinar.||Mandatory||Improved awareness of who is currently in a meeting that may contain sensitive data.||Hosts and co-hosts can verify the person or entity seeking access.|
|Live Streaming the Meetings||Allow hosts to live stream their meetings to Workplace by Facebook or Custom Live Streaming Service.||Disabled||Prevent Restricted Use Data from being transmitted or stored in non-approved environments.||No live streaming would be available for Zoom HIPAA Meetings.|
|Play Sound When Participants Join or Leave||Sound will be heard by the host and attendees when participants join or leave.||Enabled||Improved awareness of who is currently in a meeting that may contain sensitive data.||Hosts and co-hosts can verify the person or entity seeking access.|
|Remote Control||During screen sharing, the person who is sharing can allow others to control the shared content.||Disabled||Prevent unauthorized access to endpoints with HIPAA or Restricted Use Data.||Hosts do not have the ability to take control of a participant’s screen and a participant cannot grant a host control of their screen.|
|Remote Support||Allow the meeting host to provide 1:1 remote support to another participant.||Disabled||Prevent unauthorized access to endpoints with HIPAA or Restricted Use Data.||Remote Support sessions are not enabled.|
|Far-End Camera Control||Allow another user to take control of your camera during a meeting.||Disabled||Prevent unauthorized access to endpoints with HIPAA or Restricted Use Data.||The host of the meeting is the only user that can request far end camera control.|
|Waiting Room||Guests cannot join a meeting until a host admits them individually from the waiting room.||Enabled||Prevent unknown guests from joining meetings that may contain sensitive data.||The option for attendees to join the meeting before the host arrives is disabled.|
What to Expect
Zoom Meetings is a cloud hosted meetings solution, for which Zoom promises 99.9% uptime. See the Zoom Status in the IT portal for current service status.
- Zoom Client for Meetings is available for Windows, macOS, and many Linux distributions. Detailed requirements can be found on Zoom's System Requirements page.
At minimum, hosts and participants in an online meeting should have:
- A broadband wired or wireless internet connection
- A microphone and speakers, or a headset
To use a Zoom/HIPAA account, your SDSUid needs to be connected to the Zoom meetings for the HIPAA account. Your SDSUid can only be connected to one instance of Zoom - either regular Zoom or a Zoom/HIPAA account.
If you need to use a Zoom/HIPAA account, please submit a request using SDSU ServiceNow.