Is Zoom HIPAA Compliant? What Healthcare Practices Need to Know

Zoom can support HIPAA compliance, but not out of the box. A Business Associate Agreement has to be in place first, and until it is, putting Protected Health Information into Zoom is itself the violation.

Yes, conditionally

Zoom can be made HIPAA compliant. Zoom will execute a Business Associate Agreement and, once accepted, enables HIPAA-supporting configuration across meetings, chat, phone, and related services.

Plan / requirement: Available to qualifying Zoom accounts; the account must accept the BAA and enable HIPAA compliance settings.

Sources: Zoom Health Data & HIPAA-Compliance Zoom HIPAA Business Associate Agreement (BAA) support article. Last verified 2026-06-14.

What HIPAA actually requires here

HIPAA does not certify software. It requires that any vendor handling Protected Health Information on your behalf sign a Business Associate Agreement and uphold the Security Rule safeguards. For Zoom, that mechanism works like this:

During plan setup the account owner checks the box to accept a Business Associate Agreement and enable HIPAA compliance, which unlocks the PHI-handling configuration.

The conditions that decide whether you are actually covered:

Where the vendor stops and you begin

The most expensive misunderstanding in healthcare practices is assuming a signed BAA finishes the job. It does not. Compliance is shared:

Where responsibility sits
Zoom acts as Business Associate and provides AES-encrypted sessions once the BAA is in place.
You control meeting privacy with Waiting Rooms, required passcodes, and locked rooms.
You are responsible for staff practices: not recording PHI to unsecured locations, verifying participants.

Compliance review

Not sure your Zoom setup holds up to an audit?

Cobrix runs a configuration review against the actual healthcare rules your practice operates under, then fixes what does not pass.

Book a compliance reviewCall (213) 214-1385

Configuring Zoom the right way

A defensible Zoom deployment in a healthcare practice comes down to a short, ordered checklist:

  1. Accept the BAA and enable HIPAA compliance during plan setup.
  2. Require passcodes and Waiting Rooms on all clinical meetings.
  3. Disable or tightly control cloud recording; store any recordings inside covered, access-controlled storage.
  4. Restrict who can start telehealth sessions and verify patient identity at join.
  5. Request the SOC 2 + HITRUST report for your compliance file.

Mistakes that quietly void compliance

Where Cobrix fits

Cobrix is a California MSP/MSSP that configures and monitors tools like Zoom for healthcare practices, then documents the controls so they survive an audit. The software gives you the BAA; the configuration, monitoring, and paper trail are what actually keep you compliant. That is the part we own.

Free resource

Zoom HIPAA setup checklist

The exact configuration steps above, formatted as a printable checklist your team can work through and keep on file.

Get the checklist

Frequently asked questions

Is Zoom HIPAA compliant?

Zoom can be made HIPAA compliant. Zoom will execute a Business Associate Agreement and, once accepted, enables HIPAA-supporting configuration across meetings, chat, phone, and related services.

How do I get a BAA with Zoom?

During plan setup the account owner checks the box to accept a Business Associate Agreement and enable HIPAA compliance, which unlocks the PHI-handling configuration.

What plan do I need for Zoom to be HIPAA compliant?

Available to qualifying Zoom accounts; the account must accept the BAA and enable HIPAA compliance settings.

Does a BAA alone make Zoom compliant?

No. HIPAA compliance follows a shared-responsibility model. The vendor secures the platform; your practice is responsible for configuration, access controls, and staff handling of PHI.