This week on the HIPAA Vault Show, we explore whether Zoom video conferencing software is HIPAA-compliant.
Want to learn more? Check out our blog on HIPAA-compliance and Zoom!
Transcript:
Adam
Hello, and welcome to The HIPAA vault Show, where we discuss all things HIPAA compliance in the cloud. My name is Adam Zeineddine, and with me to discuss our topic for today is our CTO and founder of HIPAA vault, Gil Vidals. Hey, Gil.
Gil
Hey. Always a pleasure, Adam.
Adam
Yeah, the pleasure is all mine, Gil. So last week we talked a little bit about HIPAA texting it. This week, we’re going to be discussing whether Zoom is HIPAA compliant. Before we get started, please subscribe. And like the video, it’ll help us reach you with more important topics about HIPAA compliance. So, Gil, to get stuck into this, whether Zoom is HIPAA compliant, there’s two answers to this, and the quick answer is no. So if you’re not looking to stay around for too long on this video, then the answer is no. The second answer is yes, but with certain considerations. So we’re going to review in what circumstances it might zoom might not be HIPAA compliance, in which cases it would be. So the first thing, Gil, that we’re looking for here is a business associate agreement, right?
Gil
So with any technology provider that you’re going to be using that would be transmitting or storing health information, phi, you want to make sure that you have what’s called a business associate agreement in place. And that business associate agreement is essentially a written agreement between yourself as a covered entity or healthcare provider. And the business associate, in this case, it would be Zoom. So Zoom does offer BAAs to its healthcare customers. However, it doesn’t offer them by default, and it doesn’t offer them on the free plans. So we did a little bit of research about this, and it looks like the Zoom healthcare plans start at and this is obviously to date, they start at $15 per host license per month, or $150 a year per host license. So that’s the minimum required in order to get the BAA.
Adam
And then, Gil, if you could help me a little bit on this. But there’s certain security protocols, I believe. So the BAA itself is not the only thing that you need to have in place. The BAA is there to say that essentially Zoom is checking all the boxes when it comes to the technical items to make sure that the patient’s information, in this case maybe calls with patients, is transmitted and stored in a HIPAA compliant way while it’s communicating on their platform. But there’s certain security protocols that the user needs to have in place, right?
Gil
Yeah, that’s right. So once you have the healthcare Zoom plan, and like Adam said, after you have the VA in place, then when you use Zoom, there should be certain protocols you follow. For example, you should be using the unique meeting ID. Don’t use the same meeting ID over and over again. That make it unique so that you can keep that meeting unique and keep it separate from all the other meetings. And you want to enable the waiting room control. I have been in meetings in Zoom where we have been I don’t know what they call that, like photo bombing, but we’ve had people join meetings.
Adam
Zoom bombing.
Gil
Yeah, Zoom bombing. There you go. And quite embarrassing, really. Some of these people that were doing this were college kids, and they were doing some very obscene things on the Zoom bombing. So obviously you want to make sure you have a waiting room. Don’t just let anybody in. That would not be good, because you’re in the middle of a HIPAA compliant video meeting. That wouldn’t be good. You also want to be able to disable any kind of notes in there unless you specifically need those notes. So any of the annotation features of Zoom, keep those disabled unless you need them, but don’t just randomly have them on. And I think one of the bigger questions that people ask is, well, can I record the meeting I’m in? Is that good? Is that okay to do that?
Adam
That does come up a lot. Yeah.
Gil
And I think the answer to that is, well, you have to be careful with the recording. Once you have it, what are you going to do with it? Well, first of all, only the medical practitioner and the patient should be the ones looking at it. But if you’re going to store it for future reference, then you have to keep it in a HIPAA compliant place. Where are you going to keep that thing? And so you have to think carefully about where you’re going to store that. You don’t want it on the USB just floating around on your desk. You might lose it. Your equipment might get stolen if you have it on your laptop, so you don’t want it there. So a lot of places you don’t want it.
Gil
I would say a secure place for it would be somewhere in a HIPAA compliant cloud environment, so that if you do need it, you can pull it down from any device you have. So those are some of the top security protocols that I think should be followed in a meeting that involves phi.
Adam
Yeah. And these security protocols, they may or may not be enabled by default. So just make sure, I would say, to double check them and don’t leave it to chance that they’re enabled. And there is also going to be a blog article that we’ll link in the description below that goes into a little bit more detail on this. I would say also, if it’s not just a single practitioner, Gil, that training of the staff is important, right?
Gil
Yeah. I think that’s really a easily missed one, Adam, that I’ve talked to different medical practices, they tend to miss this one. And let me give you a little bit of background information. So when a medical practitioner is going to use Zoom and they’re trying to make sure that every checkbox is checked, they have full encryption, end to end encryption, and they did the VA. They’d all things you need to and then they think, oh, good, you know, I’m done. I got everything I need to be HIPAA compliant. Then if you can imagine an auditor walks in and says, okay, check. You have all the technological safeguards in place, but then they turn around and say, now let’s talk about the administrative safeguards. And you’re like, oh, what are those?
Gil
And they ask you, Show me your training log for your employees that show that they’ve been trained with some kind of HIPAA module and that they’re adhering to HIPAA guidelines. And you’re like, oh, I don’t have a training log. I don’t have any of that. Well, then technically, you’re not HIPAA compliant, because you are remiss on training employees, even if you have one, even if it’s just a part time assistant, even.
Adam
If it’s just a meeting that you have with that assistant, and you go through a couple of items with regards to security.
Gil
Yeah, as long as you have a log that shows what day and time that employee was trained. And you could even say you did the training yourself. And a lot of these modules are free on the Internet, so you don’t even have to spend any money. But most people just forget about that. And the training is kind of important too. I mean, it’s not just a checkbox, oh, I can’t believe I have to do this. What a waste of time. I mean, the employee you’re training may not be aware that when they get up to go to run out to Starbucks quickly to get you coffee, they may forget to lock their screen, and they leave that screen with that information on there that could be sensitive, and nobody notices that.
Gil
But, I mean, if you’re getting audited and there’s no screen saver or no auto locking of your keyboard and your computer, I mean, then that’s an obvious low hanging fruit. You should be taken care of. So the training kind of reminds you of all of these things you should be doing. The employees shouldn’t be grabbing any old USB they find laying around and plug it into their computer. That’s another big no. That’s happening all the time. It’s happening all the time. That’s how these big attacks happen. Someone opens an email or sticks in a USB, and then boom, their system is infected. So the training has a purpose. I mean, I know you guys are medical practitioners. You’re super busy, and you’re thinking, oh, this stuff’s so obvious, but it’s not obvious to everybody, and we can all use a reminder.
Adam
So really, the training can’t be overemphasized.
Gil
Okay, so there you have it. Is Zoom HIPAA compliant? The short answer no if you’re using a free plan, but yes if you’re using one of the paid plans. And you do check the security protocols that are in place on the software just to throw it out there. Gil, there’s a little bit of extra. Zoom is the market leader in video conferencing, right? We were talking about it before went on Air. It got over 55% of the market share. But hot on the tails is Microsoft teams and Google meet. One advantage that listeners and viewers might be interested in looking into teams and meet for is the collaboration between the different applications. Right? So when we talk about HIPAA and is Zoom HIPAA compliant? Well, a follow up question on a different aspect that we get a lot is my email HIPAA compliant?
Adam
And Zoom isn’t typically known for being an email provider, so there could be a use case here for looking into getting Google Meet in place with Google Workspace or Microsoft Teams in place with Office 365, and they can also be made taper compliant. Is that right?
Gil
Yeah. I think that’s smart what you’re mentioning, Adam, I didn’t think about it the way you did, but I like that. Because you’re a medical practitioner, the last thing you need is just one more subscription, one more thing you got to take care of. So what you’re promoting here, the idea of having a workspace through Office or Google, is that now you just have one account that has all your secure documents in the Google Drive or the Microsoft Team SharePoint and you can have all the information you need in a central location. And on top of that, you get their HIPAA compliant video. So it becomes a platform. And it’s not just Zoom is just kind of a one off solution here for video. They don’t offer email, they don’t offer a place to store your documents.
Gil
And so why not go for a complete solution? I really think that’s smart. By the way, Adam, you’re going to pay a pretty penny for Zoom, so you might as well put that money in Microsoft or Google. Pay that money, but get a lot more for it. Instead of just the video, you’re going to get the voiceover IP, you’re going to get the Google or the Drive or the OneDrive or whatever. You’re going to get a lot more for your money. And I think that’s smart. We’re in a recession now, so everybody’s looking for ways to save money and to streamline their operation.
Adam
Yeah, absolutely. I think I’d also like to encourage the listeners and viewers to us know what they use. At the moment, we said 55% worldwide use Zoom. What do you use? What do you use for your video conferencing and what do you use for your document collaboration? Let us know in the comments below. Or you can also email us with any questions as well at podcast@hipaavault.com or tweet us at @hippahosting. So that’s all for this episode. Thanks for stopping by.