Is Zoom HIPAA Compliant? What Healthcare Teams Need to Know

This is an independent guide. Not affiliated with or endorsed by Zoom Communications, Inc.

Your compliance officer just flagged the therapy sessions your team runs on Zoom. A patient filed a complaint. Now you need answers fast: is Zoom HIPAA compliant, and what do you have to change before Monday?

The short answer is yes, Zoom can be HIPAA compliant, but only if you pick the right plan, sign a Business Associate Agreement (BAA), and configure about a dozen settings correctly. The free plan and most default configurations don't qualify.

This guide walks you through exactly which Zoom plans support HIPAA compliance (as of March 2026), what a BAA covers, how to lock down your settings, and where Zoom falls short. You'll also find a checklist you can hand to your IT team and answers to the questions healthcare administrators ask most often.

This article is for informational purposes only and does not constitute legal or medical advice. Consult a qualified HIPAA compliance professional for guidance specific to your organization.

Is Zoom HIPAA Compliant?

Zoom can be HIPAA compliant, but it isn't compliant by default. No video conferencing tool is. HIPAA compliance isn't a product feature you can toggle on; it's a combination of the right software plan, a signed legal agreement, correct configuration, and organizational policies.

Here's what that means in practice: if you downloaded Zoom last week and started running telehealth sessions on the free plan, you're not HIPAA compliant. Even if you're on a paid plan, you're not compliant until you've signed a BAA with Zoom and adjusted your account settings.

Consider Dr. Rivera runs a small behavioral health practice with four therapists. They've used Zoom Basic for two years, assuming the encryption was enough. After a compliance audit, they learned that without a BAA, every session they'd recorded was a potential HIPAA violation. The fix took three days. The stress lasted months.

As of March 2026, Zoom offers HIPAA-compliant configurations on specific paid plans through its Zoom for Healthcare offering. Zoom will sign a BAA for eligible accounts, which covers Zoom Meetings, Zoom Phone, Zoom Team Chat, and Zoom Rooms when used within the terms of that agreement.

Which Zoom Plans Support HIPAA Compliance?

Not every Zoom plan qualifies for a BAA. As of March 2026, Zoom offers HIPAA-eligible configurations on these plans:

• Zoom Workplace Pro (paid) with healthcare add-on
• Zoom Workplace Business and above
• Zoom Workplace Enterprise (includes dedicated healthcare features)
• Zoom for Healthcare (purpose-built plan with EHR integrations)

The free Zoom Basic plan does not qualify for a BAA. Neither do personal Pro accounts without the healthcare add-on.

Plan names, BAA eligibility, and pricing change frequently. Visit zoom.us/pricing or contact Zoom sales to confirm current options before making compliance decisions.

The key difference between plans isn't just the BAA. Higher-tier plans include features healthcare organizations actually need: custom waiting rooms branded with your practice name, integration with EHR systems like Epic and Cerner, and granular admin controls for managing who can record sessions.

If you're comparing options, our guide on Microsoft Teams alternatives covers how other platforms handle compliance.

What Is a BAA and Why Does It Matter?

A Business Associate Agreement (BAA) is a legally binding contract between a healthcare provider (or other covered entity) and a vendor that handles protected health information. Under HIPAA, you must have a signed BAA with every third-party service that could access, store, or transmit PHI.

Without a BAA, it doesn't matter how secure Zoom's encryption is. You're violating HIPAA.

Zoom's BAA covers these products when configured correctly:

• Zoom Meetings (video and audio)
• Zoom Phone
• Zoom Team Chat
• Zoom Rooms
• Zoom Webinars (with restrictions)
• Cloud recordings (when enabled under BAA terms)

Products not covered under Zoom's standard BAA include:

• Zoom Apps (third-party marketplace apps)
• Zoom Whiteboard (check current status with Zoom)
• Zoom Mail and Calendar
• Any free-tier feature

To request a BAA from Zoom, you typically need to:

1. Have an eligible paid plan (Business or higher, or Pro with healthcare add-on)
2. Contact Zoom sales or your account representative
3. Review and countersign the BAA document
4. Configure your account according to Zoom's HIPAA implementation guide

The BAA signing process usually takes 1 to 5 business days for standard plans. Enterprise accounts may negotiate custom BAA terms, which can take 2 to 4 weeks.

Think of the BAA like a seatbelt. The car (Zoom) might be safe, but without the seatbelt (BAA), you're still at risk in a crash (audit or breach).

How to Make Zoom HIPAA Compliant: Configuration Checklist

Signing the BAA is step one. Step two is configuring your Zoom account so it actually meets HIPAA requirements. Zoom provides a HIPAA implementation guide to BAA signatories, but here are the critical settings your IT team needs to address.

Encryption Settings

• Enable end-to-end encryption (E2EE) for meetings containing PHI. Zoom offers E2EE as an option, but it's not on by default. Note: E2EE disables some features like cloud recording, breakout rooms, and live transcription.
• Require encryption for 3rd party endpoints (H.323/SIP) if you use conference room hardware.
• Enable AES 256-bit GCM encryption (this is on by default for all Zoom meetings since 2020).

Meeting Security

• Enable waiting rooms so patients don't land in sessions with other patients.
• Require meeting passwords for every session.
• Disable "Join before host" to prevent patients from entering an unsupervised room.
• Lock meetings after all expected participants have joined.
• Disable file transfer in chat during meetings (prevents accidental PHI sharing via chat).
• Disable cloud recording by default and enable it only for sessions where recording is clinically necessary and the patient has consented.

Account Administration

• Restrict screen sharing to host only (prevent patients from accidentally sharing their screen).
• Disable Zoom AI Companion features for meetings that involve PHI, unless explicitly covered in your BAA.
• Turn off meeting transcription unless required and consented to.
• Use managed domains so only authorized email addresses can access your Zoom organization.
• Enable two-factor authentication (2FA) for all user accounts.
• Set automatic session timeouts for idle accounts.

Recording and Storage

• If you must use cloud recording, ensure your BAA explicitly covers it and that access is restricted to authorized personnel.
• Local recordings keep data on your own infrastructure but require your own encryption and access controls.
• Delete recordings when no longer clinically necessary (set a retention policy).

For organizations that need help with setting up virtual meetings securely, we have a separate step-by-step walkthrough.

Is Zoom HIPAA Compliant for Telehealth and Psychotherapy?

This is the most common question healthcare providers ask, and the answer has nuance.

For telehealth broadly, Zoom's HIPAA-compliant plans work well. The platform supports one-on-one video consultations, group therapy sessions, and even remote patient monitoring check-ins. As of March 2026, Zoom for Healthcare includes features specifically designed for telehealth: virtual waiting rooms, EHR integrations with Epic and Cerner, and clinical workflow tools.

For psychotherapy and behavioral health, extra caution is needed. Therapists handle especially sensitive PHI (substance abuse records, mental health diagnoses, session notes). Consider these additional steps:

• Never use Zoom's AI Companion or transcription during therapy sessions. Even if covered by the BAA, automated transcription of therapy creates unnecessary risk.
• Disable all recording unless the patient provides written consent and your state allows it.
• Use the waiting room feature so patients from group sessions don't see each other before the host admits them.
• Train staff on what they can and cannot say in Zoom chat during sessions (chat logs may be stored).

A group therapy practice runs four concurrent evening sessions. Without proper waiting room configuration, Patient A from the anxiety group accidentally joins the substance abuse session. The patient names visible on screen constitute a HIPAA breach. Proper waiting room and password setup prevents this entirely.

What about the COVID-era HIPAA waivers? During 2020 to 2023, the U.S. Department of Health and Human Services (HHS) granted enforcement discretion for telehealth providers using consumer-grade video tools. Those waivers expired. As of March 2026, the standard HIPAA enforcement rules apply fully. Using Zoom without a BAA for telehealth is a violation, period.

If you're exploring how to create breakout rooms for group therapy, our guide covers the setup process.

Is Zoom HIPAA Compliant Compared to Google Meet and Microsoft Teams?

Healthcare decision-makers often compare Zoom against Google Meet and Microsoft Teams. Here's how they stack up on HIPAA compliance as of March 2026:

Zoom offers a dedicated healthcare vertical with purpose-built features. Its BAA covers Meetings, Phone, Chat, and Rooms. The Zoom for Healthcare plan includes EHR integrations and clinical workflow tools. Zoom's advantage is its telehealth-specific feature set and the fact that most patients already know how to use it.

Google Meet (via Google Workspace) can be HIPAA compliant. Google signs BAAs for Workspace Business, Enterprise, and Education Plus plans. The BAA covers Meet, Gmail, Drive, Calendar, and other core Workspace apps. Google Meet lacks the healthcare-specific features Zoom offers (no EHR integrations, no clinical waiting rooms), but it integrates well if your organization already uses Google Workspace.

Microsoft Teams (via Microsoft 365) also supports HIPAA compliance. Microsoft signs BAAs for Business, Enterprise, and Education plans. Teams has deep integration with Microsoft's healthcare-specific tools, including the Microsoft Cloud for Healthcare platform and Azure Health Data Services. Teams is strongest for organizations already embedded in the Microsoft ecosystem.

All three can be HIPAA compliant. Your choice depends on your existing infrastructure, budget, and which EHR system you use.

For teams exploring alternatives beyond traditional video calls, check out online meeting platforms that offer different approaches to virtual collaboration.

What Happens If You Use Zoom Without HIPAA Compliance?

Using Zoom (or any video tool) to handle PHI without proper compliance isn't just a policy issue. It carries real financial and legal consequences.

HIPAA penalties fall into four tiers based on the level of negligence:

Penalty amounts adjusted for inflation as of 2026. Source: HHS Office for Civil Rights.

Beyond fines, a HIPAA breach can trigger:

• State attorney general investigations (many states have their own health privacy laws with separate penalties)
• Patient lawsuits for negligence or breach of confidentiality
• Loss of professional licensure for individual providers
• Reputational damage that drives patients to other practices
• Mandatory breach notification to every affected patient, HHS, and (for breaches of 500+ records) local media

The most common Zoom-related HIPAA violations aren't dramatic hacks. They're mundane mistakes: a therapist using Zoom Basic without a BAA, a clinic that never disabled cloud recording, an admin who shared a meeting link containing a patient's name in the URL. Each of these is a reportable incident.

For tips on running better virtual meetings with proper security practices, see our guide on engaging online meetings.

Making Zoom Work for HIPAA: Key Takeaways

Zoom is HIPAA compliant when you set it up correctly. Here's what to do this week:

1. Verify your plan. You need Zoom Workplace Business or higher, or Zoom Pro with the healthcare add-on. The free plan doesn't qualify.
2. Sign a BAA. Contact Zoom's sales team. Don't schedule another patient session until the BAA is countersigned.
3. Run the configuration checklist. Enable waiting rooms, require passwords, enable E2EE for PHI sessions, disable AI features, and restrict recording.
4. Train your staff. HIPAA compliance fails at the human layer more often than the technology layer. Every clinician and admin who touches Zoom needs to understand what they can and can't do.
5. Document everything. Keep your BAA, configuration screenshots, training records, and incident response plan in one place. Auditors will ask for them.

Zoom is a solid choice for telehealth and healthcare communication when configured properly. The platform's patient familiarity, EHR integrations, and healthcare-specific features make it one of the stronger options on the market. But the compliance burden is on you, not Zoom.

For non-clinical team gatherings like all-hands meetings, social events, or networking, Flat.social offers a spatial approach where participants move around and talk naturally.

Zoom is a trademark of Zoom Communications, Inc. HIPAA is a U.S. federal law. This site is not affiliated with, endorsed by, or sponsored by Zoom Communications, Inc.