Shopping cart
Your cart empty!
Knowledge BaseApril 3, 2026
Is Zoom HIPAA Compliant? The Real Answer for Healthcare (2026)
Table of Contents
- The Direct Answer
- What HIPAA Actually Requires
- What Zoom Offers for HIPAA Compliance
- What Zoom Does NOT Do
- The BAA Fine Print
- Which Zoom Plans Qualify
- What Is Still on Your Servers and Your Responsibility
- The Encryption Question
- Alternatives for Healthcare Organizations
- Frequently Asked Questions
- Key Takeaways
The Direct Answer
Zoom can be HIPAA compliant, but only under specific conditions --- and "can be" is doing significant work in that sentence. Zoom is not HIPAA compliant by default. Out of the box, a standard Zoom account does not meet HIPAA requirements and cannot legally be used to transmit protected health information (PHI). To reach HIPAA compliance, you must be on a paid Zoom plan (Zoom Workplace Business or higher), request and execute a Business Associate Agreement (BAA) with Zoom, manually disable certain features that violate HIPAA requirements, and accept that Zoom's servers --- not yours --- store and route all PHI data. Even after completing these steps, Zoom's HIPAA compliance covers only specific products within their suite, not everything with the Zoom name on it. The compliance is conditional, partial, and shared: Zoom handles its side of the technical safeguards, but your organization remains responsible for administrative safeguards, workforce training, and proper configuration.
This article breaks down exactly what Zoom provides, what it excludes, what the BAA actually says, and where healthcare organizations may need a different approach.
What HIPAA Actually Requires
Before evaluating Zoom's compliance, it helps to understand what HIPAA demands from any technology platform that handles PHI. The HIPAA Security Rule mandates three categories of safeguards.
Administrative safeguards include risk analysis, workforce training, access management policies, contingency planning, and business associate agreements with every vendor that touches PHI.
Physical safeguards include facility access controls, workstation security, and device and media controls.
Technical safeguards include access controls, audit controls, integrity controls, person or entity authentication, and transmission security (encryption).
HIPAA does not "certify" software. There is no government-issued HIPAA certification stamp. When a vendor says they are "HIPAA compliant," they mean they have implemented the safeguards required by the Security Rule and are willing to sign a BAA accepting liability as a business associate. The compliance determination ultimately falls on the covered entity --- the healthcare provider, health plan, or clearinghouse --- to verify that the vendor meets requirements.
What Zoom Offers for HIPAA Compliance
Zoom has built specific features and controls to support healthcare customers. Here is what Zoom provides when HIPAA compliance is enabled on an eligible account.
Business Associate Agreement. Zoom will sign a BAA with customers on qualifying paid plans. The BAA covers Zoom Workplace (Meetings, Webinars, and Phone), Zoom Team Chat, and Zoom Contact Center. The BAA establishes Zoom as a business associate under HIPAA and defines both parties' obligations regarding PHI.
Encryption in transit. Zoom uses AES-256 GCM encryption for data in transit between client applications and Zoom's servers. This satisfies the HIPAA transmission security requirement.
Optional end-to-end encryption. Zoom offers an optional end-to-end encryption (E2EE) mode for meetings that encrypts content from participant to participant. However, enabling E2EE disables several features including cloud recording, live transcription, breakout rooms, and polling.
Access controls. Zoom provides meeting passwords, waiting rooms, host-only recording permissions, and the ability to lock meetings after they start.
Audit logging. Account administrators can access operational logs showing meeting activity, user actions, and administrative changes.
Configurable data retention. Administrators can set retention policies for recordings and chat messages.
Cloud recording storage. Recordings stored in Zoom's cloud are encrypted at rest using AES-256 encryption.
What Zoom Does NOT Do
This is where the nuance matters most. Zoom's HIPAA offering has clear boundaries that healthcare organizations frequently misunderstand.
Zoom does not offer self-hosting. All video traffic routes through Zoom's cloud infrastructure. You do not control where the servers are located, which data center processes your meetings, or which jurisdiction your data transits. For organizations with strict data residency requirements, this is a fundamental limitation.
Zoom does not give you encryption key ownership. Zoom generates, manages, and stores the encryption keys used to protect your data. You cannot bring your own keys. This means Zoom has the technical ability to decrypt your meeting content. For organizations that require zero-knowledge encryption where even the vendor cannot access PHI, Zoom does not meet this standard.
Zoom does not cover all its products under the BAA. The BAA specifically lists covered products. Features like Zoom Apps (third-party integrations within Zoom), Zoom Clips, and certain AI-powered features may not be covered. Using uncovered features in a clinical context could create a compliance violation.
Zoom does not disable non-compliant features automatically. When you sign the BAA, Zoom does not automatically configure your account for HIPAA compliance. Your administrator must manually disable features like cloud recording transcription, third-party AI integrations, and certain data-sharing settings. Missing a single setting can create an exposure.
Zoom does not provide a compliance guarantee. The BAA defines Zoom's obligations as a business associate, but HIPAA compliance depends on the entire chain --- your organization's policies, your workforce's behavior, your device security, and your network configuration. Zoom's BAA does not insulate you from liability if a breach occurs due to your side of the equation.
The BAA Fine Print
Zoom's Business Associate Agreement is a legal document that deserves careful review. Several provisions are worth understanding before you sign.
Covered services are explicitly listed. The BAA names specific Zoom products. If Zoom launches a new feature or product, it is not automatically covered. You must verify coverage before using new capabilities with PHI.
Zoom limits its liability. Like most vendor BAAs, Zoom's agreement includes liability caps and exclusion clauses. Your legal team should review these limitations against your organization's risk tolerance.
Zoom can update the BAA. The agreement may include provisions allowing Zoom to modify terms with notice. Monitor any amendments for changes that affect your compliance posture.
Breach notification timelines. The BAA specifies how quickly Zoom will notify you of a data breach. Verify that these timelines align with HIPAA's breach notification requirements (60 days for individual notification, with HHS notification requirements depending on the number of individuals affected).
You remain the covered entity. The BAA does not shift your HIPAA obligations to Zoom. You remain responsible for your own administrative, physical, and technical safeguards. Zoom's compliance covers their infrastructure --- everything on your side is still your responsibility.
Which Zoom Plans Qualify
Not every Zoom plan is eligible for a BAA. Here is the breakdown as of 2026.
| Zoom Plan | BAA Available | HIPAA Eligible |
|---|---|---|
| Zoom Basic (Free) | No | No |
| Zoom Workplace Pro | No | No |
| Zoom Workplace Business | Yes | Yes |
| Zoom Workplace Business Plus | Yes | Yes |
| Zoom Workplace Enterprise | Yes | Yes |
| Zoom Workplace Enterprise Plus | Yes | Yes |
Important: Having a qualifying plan does not make you HIPAA compliant. You must request the BAA, execute it, and then configure your account according to Zoom's HIPAA configuration guide. The BAA is not automatically applied to eligible plans --- you must proactively initiate the process.
The cost difference is significant. Zoom Workplace Business starts at approximately $18.32 per user per month (billed annually). For a 50-provider telehealth practice, that represents roughly $11,000 per year before accounting for any add-ons like Zoom Phone or additional cloud storage for recordings.
What Is Still on Your Servers and Your Responsibility
Signing a BAA with Zoom addresses only one piece of your HIPAA compliance obligation. A substantial portion of the compliance burden remains with your organization.
Device management. The laptops, tablets, and phones your staff use to join Zoom meetings must meet HIPAA requirements. Full disk encryption, screen lock policies, remote wipe capability, and up-to-date operating systems are your responsibility.
Network security. Your organization's network must use encryption, firewalls, and access controls. If staff conduct telehealth sessions from home or public networks, you need policies and technical controls to address those scenarios.
Workforce training. HIPAA requires documented, ongoing training for all workforce members who handle PHI. Training must cover Zoom-specific topics: not sharing meeting links publicly, verifying patient identity before discussing PHI, understanding when recording is appropriate, and how to use waiting rooms.
Access management. User provisioning, role-based access controls, and timely deprovisioning when staff leave are your responsibility. Zoom provides the tools; you must implement the policies.
Documentation. Your HIPAA risk analysis must include Zoom as a system that processes PHI. You must document your configuration choices, your rationale for using Zoom, and your ongoing monitoring processes.
Incident response. If a PHI exposure occurs during a Zoom session (a patient joins the wrong meeting, a recording is shared inappropriately, a device with Zoom recordings is lost), your organization's breach response plan must address these scenarios.
The Encryption Question
Encryption is often the focal point of HIPAA compliance discussions, and Zoom's encryption model requires careful examination.
Standard Zoom encryption uses AES-256 GCM between the client and Zoom's servers. This means Zoom's infrastructure decrypts and re-encrypts the video stream at the server level. Zoom's servers can technically access meeting content. For most HIPAA purposes, this level of encryption satisfies the transmission security requirement since Zoom has signed a BAA and accepted business associate obligations.
End-to-end encryption (E2EE) provides stronger protection by encrypting content from participant to participant, with Zoom unable to decrypt the stream. However, E2EE disables cloud recording, live transcription, breakout rooms, phone dial-in, and several other features. For telehealth practices that need cloud recordings for documentation or transcription for clinical notes, E2EE creates a difficult tradeoff.
Neither mode provides customer-managed encryption keys. Regardless of the encryption mode selected, Zoom controls the key management infrastructure. Organizations that require key custody --- the ability to manage, rotate, and revoke encryption keys independently of the vendor --- cannot achieve this with Zoom.
Alternatives for Healthcare Organizations
Healthcare organizations that find Zoom's conditional compliance insufficient have several alternative approaches.
Self-hosted white label platforms. Solutions like WhiteLabelZoom provide HIPAA-compliant video conferencing that runs on your infrastructure. You control the servers, the encryption keys, the data residency, and the entire compliance surface. The BAA conversation changes fundamentally when the platform runs on infrastructure you own.
Purpose-built telehealth platforms. Platforms like Doxy.me, Teladoc Health, and Amwell are designed specifically for clinical video encounters. They include EHR integrations, patient intake workflows, clinical documentation features, and HIPAA compliance baked into the product design rather than layered on as a configuration option.
Self-hosted open source solutions. Jitsi Meet and other open source platforms can be deployed on your own HIPAA-compliant infrastructure, giving you complete control over every aspect of the system. The tradeoff is significant engineering effort to maintain, secure, and scale the deployment.
Embedded video APIs with BAAs. For organizations building telehealth into existing applications, embedded video APIs like Twilio Video, Vonage, and Daily.co offer BAAs and can be integrated directly into your clinical workflows. You control the user experience while the API provider handles the media infrastructure.
The right choice depends on your organization's size, technical resources, compliance risk tolerance, and the role video plays in clinical care delivery.
Frequently Asked Questions
1. Is Zoom HIPAA compliant out of the box?
No. Zoom is not HIPAA compliant by default on any plan. You must be on a paid business or enterprise plan, request and sign a BAA with Zoom, and manually configure your account to disable non-compliant features. The free version of Zoom and the Pro plan are not eligible for a BAA and cannot legally be used with PHI under any circumstances.
2. Does Zoom's BAA cover Zoom Clips, Zoom AI Companion, and third-party apps?
Not necessarily. Zoom's BAA covers specifically named products, primarily Zoom Workplace Meetings, Webinars, Phone, Team Chat, and Contact Center. AI-powered features, third-party integrations from the Zoom App Marketplace, and newer products may not be included. Always verify with Zoom's current BAA documentation before using any feature in a clinical context.
3. Can I use the free version of Zoom for telehealth?
No. The free Zoom Basic plan does not support a BAA and is not HIPAA-eligible. Using it to conduct telehealth sessions that involve PHI would be a HIPAA violation. There is no configuration, setting, or workaround that makes the free tier compliant.
4. Does Zoom's end-to-end encryption make it more HIPAA compliant?
E2EE provides stronger technical safeguards because Zoom cannot access meeting content. However, E2EE is not required for HIPAA compliance --- AES-256 encryption in transit combined with a BAA satisfies the transmission security standard. E2EE also disables features many healthcare organizations need (cloud recording, transcription, breakout rooms), so the compliance benefit comes with functional tradeoffs.
5. What happens if a HIPAA breach occurs on Zoom?
Zoom's BAA obligates them to notify you of a breach involving PHI on their systems within a specified timeframe. However, your organization retains responsibility for notifying affected individuals and HHS as required by the HIPAA Breach Notification Rule. If the breach resulted from your misconfiguration or user error (not Zoom's infrastructure failure), you bear primary liability.
6. Can Zoom access my meeting recordings?
With standard encryption, Zoom has the technical capability to access cloud recordings stored on their servers since Zoom manages the encryption keys. With E2EE enabled, recordings are not stored in Zoom's cloud (cloud recording is disabled). If key custody and zero-knowledge storage are compliance requirements for your organization, Zoom does not meet those standards.
7. Is a self-hosted video platform more HIPAA compliant than Zoom?
A properly configured self-hosted platform can provide stronger HIPAA compliance because you control the infrastructure, the encryption keys, the data residency, and the full audit trail. There is no third-party business associate in the video layer, which simplifies your compliance surface. However, self-hosting shifts the entire technical safeguard burden to your team, which requires dedicated security and DevOps resources.
8. Which Zoom competitors offer HIPAA compliance with more control?
WhiteLabelZoom offers self-hosted HIPAA-compliant video with full encryption key ownership and data residency control. Doxy.me is a purpose-built telehealth platform with HIPAA compliance designed into the product. For organizations that want to embed video into existing applications, Twilio Video and Daily.co offer BAAs with API-level integration. Each provides capabilities that address specific gaps in Zoom's HIPAA offering.
Key Takeaways
- Zoom is not HIPAA compliant by default. Compliance requires a paid plan (Business or higher), a signed BAA, and manual account configuration.
- The BAA covers specific products, not everything Zoom offers. Verify coverage before using any feature with PHI.
- Zoom controls the encryption keys. You cannot bring your own keys or achieve zero-knowledge encryption with Zoom.
- All data routes through Zoom's cloud. Self-hosting is not an option, which creates data residency and control limitations.
- Your organization carries significant compliance responsibility. The BAA addresses Zoom's obligations; device security, workforce training, network controls, and documentation remain on you.
- E2EE improves security but disables critical features. Cloud recording, transcription, and breakout rooms are unavailable with E2EE enabled.
- Alternatives exist for organizations needing more control. Self-hosted platforms, purpose-built telehealth tools, and embedded video APIs offer HIPAA compliance with greater infrastructure ownership.
- Consult your compliance officer and legal counsel. HIPAA compliance is an organizational determination, not a vendor feature. No article, vendor website, or marketing page replaces a proper risk analysis.
Ready for HIPAA-compliant video conferencing where you control the servers, the encryption keys, and the data? WhiteLabelZoom deploys on your infrastructure with full HIPAA compliance, zero third-party data routing, and your branding throughout --- live in under 48 hours.