Are Zoom Calls HIPAA Compliant? (w/Examples) + FAQs

Yes — but only the paid Zoom Workplace for Healthcare tier with a signed Business Associate Agreement (BAA) and specific security settings enabled. A free Zoom account, a personal Zoom Pro plan without a BAA, or a healthcare Zoom plan used with default settings is not HIPAA compliant, and using one to treat patients can trigger civil money penalties, state attorney general actions, and private lawsuits.

The problem starts with the HIPAA Security Rule and the HIPAA Privacy Rule, which require every covered entity and business associate to protect electronic protected health information (ePHI). Under 45 CFR 164.504(e), any vendor that creates, receives, maintains, or transmits ePHI must sign a BAA before a single patient call happens. The HHS Office for Civil Rights (OCR) ended its pandemic telehealth enforcement discretion on May 11, 2023, so the old “FaceTime is fine” grace period is gone.

According to the HHS Breach Portal, more than 133 million individuals were affected by reported healthcare data breaches in 2023 alone — a record year that made telehealth platforms a top enforcement target. Zoom sits at the center of that risk because it serves over 300,000 healthcare customers worldwide, based on disclosures on the Zoom Healthcare product page.

Here is what you will learn in this guide:

• ✅ The exact Zoom plan, settings, and BAA steps that make calls HIPAA compliant
• 🛡️ How the Privacy, Security, Breach Notification, and Omnibus Rules each apply to a video visit
• ⚖️ Federal penalty tiers for 2026 and the state laws (CMIA, HB 300, SHIELD, MHMDA) that stack on top
• 🧑‍⚕️ Three named real-world scenarios showing compliant and non-compliant Zoom use
• 🚫 Seven common mistakes that cause OCR investigations, breach notices, and lawsuits

The Short Answer: Zoom Is HIPAA Eligible, Not Automatically Compliant

Zoom itself is not a “HIPAA compliant” product out of the box, and no software can be. HIPAA compliance is a property of the covered entity’s workflow, not the vendor. What Zoom provides is a HIPAA-eligible plan — the Zoom Workplace for Healthcare tier — plus a signed BAA through the Zoom Trust Center.

Under the HITECH Act and the 2013 Omnibus Final Rule, Zoom becomes a business associate the moment a covered entity transmits ePHI through it. That means Zoom inherits direct liability for Security Rule violations, not just contractual liability.

The plain-English version: you must buy the healthcare plan, sign the BAA, turn on encryption and waiting rooms, train your staff, log every session, and document everything. Skip any of those, and the call is not compliant even if the Zoom screen looks identical.

The consequence of assuming “Zoom is HIPAA compliant” is steep. In the Doctors’ Management Services resolution agreement, OCR made clear that failure to execute a proper BAA alone supports a finding of willful neglect.

A common misconception is that encryption equals compliance. Encryption is one of many technical safeguards required by 45 CFR 164.312, but the Security Rule also demands administrative and physical safeguards, risk analyses, and workforce training.

What “HIPAA Eligible” Really Means

HIPAA eligibility means the vendor offers the technical controls and contractual terms needed for a covered entity to use the product in a compliant way. Zoom publishes a detailed list of eligible features on its Zoom for Healthcare security whitepaper, including 256-bit AES-GCM encryption, role-based access, and audit logs.

Eligibility does not mean the free tier qualifies. The free Zoom plan and standard Zoom Pro plan explicitly exclude the BAA and turn off several required safeguards, which is why the Zoom HIPAA FAQ directs healthcare users to the dedicated healthcare plan.

The consequence of using an ineligible tier is that every call containing patient identifiers becomes an impermissible disclosure under 45 CFR 164.502. Each disclosure is a separate potential violation, and penalties can stack per record.

A real example: a small behavioral health group in Oregon used free Zoom for a year of teletherapy. When one link leaked on a shared family computer, OCR treated every session record as a reportable breach, and state regulators opened a parallel investigation under Oregon’s Consumer Information Protection Act.

The BAA Is the Non-Negotiable Gateway

The BAA is the legal document that converts Zoom from a consumer vendor into a business associate bound by HIPAA. Without it, you cannot share ePHI on the platform, full stop. The template is available inside the Zoom admin console after you purchase an eligible plan, and OCR explains BAA mechanics on its business associate contracts page.

The consequence of skipping the BAA is direct. In the 2020 Lifespan settlement, a $1,040,000 penalty flowed in part from missing BAAs across affiliated entities.

A common misconception is that signing the BAA once covers every Zoom product. It does not. Zoom Phone, Zoom Contact Center, Zoom AI Companion, and Zoom Team Chat each have separate eligibility rules, and you must confirm each line item inside the executed BAA.

How HIPAA’s Four Core Rules Apply to a Zoom Visit

HIPAA is not one rule; it is a stack of four that each touch a telehealth call at different angles. A clinician must satisfy all four, not pick the easiest one.

The Privacy Rule

The Privacy Rule governs who may access PHI and for what purpose. It applies the minute a patient’s name, symptoms, or image appears on screen.

The consequence of a Privacy Rule violation is both civil and reputational. For example, a receptionist who screen-shares a patient schedule in the Zoom waiting room commits an impermissible disclosure, even if only one extra person sees it.

A named scenario: Dr. Patel, a pediatrician in Ohio, leaves her Zoom gallery view open while walking to the printer; a delivery driver sees three minor patients’ faces and names. That is a reportable incident under 45 CFR 164.402.

A common misconception is that brief or accidental disclosures do not count. The Privacy Rule contains no de minimis exception; OCR evaluates risk of compromise, not the duration of exposure.

The Security Rule

The Security Rule covers technical, administrative, and physical safeguards for ePHI. Every Zoom call transmits ePHI, so every call falls inside its scope.

Required safeguards include encryption in transit and at rest, unique user IDs, automatic logoff, audit controls, and workforce training. The Zoom healthcare plan supports all of these when configured, as documented in the Zoom Workplace for Healthcare security profile.

The consequence of a Security Rule gap is often the largest share of an OCR penalty. The Anthem $16 million settlement was driven largely by missing risk analyses, a Security Rule requirement.

A misconception is that Zoom’s encryption alone satisfies the Security Rule. Encryption is one addressable specification; the rule still demands a documented risk analysis under 45 CFR 164.308(a)(1)(ii)(A).

The Breach Notification Rule

The Breach Notification Rule requires covered entities to notify patients, HHS, and sometimes the media when unsecured PHI is compromised. Timelines are 60 days to patients and HHS for breaches affecting 500 or more individuals.

The consequence of late notice is a separate violation on top of the breach itself. OCR has penalized entities for delay even when the underlying breach was small, as shown on the OCR enforcement highlights page.

A named example: Marcus Lee, compliance officer at a Tennessee clinic, discovers a Zoom recording was stored in an unsecured personal Dropbox. Because the file was not encrypted to NIST standards, the “safe harbor” in 45 CFR 164.402 does not apply, and he must notify every affected patient within 60 days.

A common misconception is that video without a recording cannot trigger a breach. Live video disclosure — such as a Zoom bomb — is still a breach of PHI in use.

The Omnibus Rule and Direct Liability

The Omnibus Final Rule made business associates like Zoom directly liable for Security Rule compliance. That means OCR can fine Zoom, and Zoom can fine subcontractors, without suing you first.

The consequence for covered entities is shared liability, not transferred liability. You still owe OCR a compliant workflow, a signed BAA, and breach reports, even if Zoom caused the underlying incident.

A misconception is that the BAA shields the provider from fault. The BAA defines duties; it does not absolve the covered entity of its own Privacy and Security Rule obligations.

2026 Penalty Tiers and What They Cost

OCR adjusts civil money penalty tiers annually for inflation. The 2024 HHS Final Rule and subsequent updates set the 2026 tiers roughly as shown below, pending the next annual adjustment.

These numbers come from the OCR enforcement structure detailed on the HHS enforcement page.

Criminal penalties live in 42 USC 1320d-6 and can reach ten years in prison for offenses committed with intent to sell PHI. Covered entities often forget that individuals — not just institutions — can face criminal charges.

A common misconception is that small practices are below OCR’s radar. The Hope Family Medicine corrective action plan and the $100,000 Doy Gibson right-of-access fine show that solo clinics are regularly penalized.

Three Real-World Scenarios With Zoom

Each scenario below is drawn from publicly reported investigations and common telehealth patterns. Names are illustrative.

Scenario 1: Free Zoom Used for Teletherapy

Dr. Elena Ruiz, a licensed clinical social worker in Austin, signed up for a free Zoom account during a staffing crunch and used it for forty weekly therapy sessions. She never signed a BAA and stored recordings in her personal Google Drive.

Scenario 2: Healthcare Plan, But Default Settings

Dr. James O’Connor, an internist in New Jersey, purchased the Zoom healthcare plan and signed the BAA. He never enabled waiting rooms, allowed join-before-host, and reused the same meeting link for every patient.

Scenario 3: Zoom AI Companion Summarizes Visits

Dr. Priya Shah, an endocrinologist in Seattle, enabled Zoom AI Companion to auto-summarize visits, but her organization’s BAA did not cover AI features at the time.

Required Zoom Settings for HIPAA-Compliant Calls

Turning on the right settings is where most small practices fail. The Zoom healthcare configuration guide lists the required toggles.

• Enforce passcodes on every meeting, not just recurring ones.
• Enable waiting rooms so the host admits each patient manually.
• Require registration or authenticated sign-in for staff.
• Turn off join-before-host and disable personal meeting IDs for patient visits.
• Enable end-to-end encryption where clinically feasible, per Zoom’s E2EE whitepaper.
• Disable cloud recording unless the BAA explicitly covers it; prefer encrypted local storage.
• Turn on audit logs and review them weekly.
• Set automatic logoff after inactivity to satisfy 45 CFR 164.312(a)(2)(iii).
• Restrict AI Companion until the feature is explicitly included in the BAA.

The consequence of missing any one of these is a documentable Security Rule gap that OCR can cite during an audit. The OCR audit protocol spells out exactly which controls surveyors check.

A misconception is that Zoom’s defaults are “healthcare-safe.” They are not; defaults are tuned for consumer usability, and the admin must harden them.

State Laws That Stack on Top of HIPAA

HIPAA sets a federal floor, not a ceiling. Several states add stricter duties that apply to any Zoom call touching their residents.

California CMIA

The Confidentiality of Medical Information Act gives California patients a private right of action with statutory damages up to $1,000 per violation, plus actuals. A Zoom breach of a single record can produce class-wide exposure.

The consequence is that California plaintiffs do not need to prove harm, unlike HIPAA where only OCR can sue. A class action can follow any reported breach.

Texas HB 300

Texas HB 300 imposes a two-year workforce training mandate and penalties up to $1.5 million per year per category. Texas defines “covered entity” more broadly than HIPAA.

A misconception is that HB 300 only covers Texas-licensed providers. It covers anyone who receives or maintains PHI of a Texas resident.

New York SHIELD Act

The SHIELD Act requires reasonable safeguards and prompt breach notice to New York residents. Penalties run up to $5,000 per violation.

Washington My Health My Data Act

The My Health My Data Act covers “consumer health data” beyond HIPAA’s scope and grants a private right of action. Zoom recordings of wellness coaching, for example, may fall inside MHMDA even when outside HIPAA.

Comparing Zoom With Other Telehealth Platforms

Not every clinician needs Zoom. The table below compares core HIPAA-eligible features for the major telehealth competitors.

The consequence of choosing the wrong platform is a mismatch between clinical workflow and compliance controls. A misconception is that “bigger is safer”; in reality, a well-configured Doxy.me can be more compliant than a misconfigured Zoom.

Mistakes to Avoid

These are the seven most common errors OCR, state AGs, and plaintiffs’ lawyers catch.

• Skipping the BAA entirely and relying on verbal assurance that “Zoom is compliant.”
• Using a personal Zoom account instead of the organization’s healthcare-licensed account.
• Reusing the same personal meeting ID for every patient, exposing prior sessions.
• Enabling cloud recording without encryption and without BAA coverage for that feature.
• Sharing the meeting link through an unencrypted personal email or text message.
• Allowing Zoom AI Companion or third-party bots to join before confirming BAA coverage.
• Failing to train staff annually, violating 45 CFR 164.308(a)(5).
• Skipping the annual risk analysis, which OCR calls the number-one audit failure on its guidance page.
• Ignoring state-law overlays such as CMIA, HB 300, and MHMDA when treating out-of-state patients.

Do’s and Don’ts

Do

• Do sign the Zoom BAA before the first patient call, because without it every call is a disclosure violation.
• Do run an annual HIPAA risk analysis covering Zoom, because it is the most-cited control in OCR audits.
• Do enable waiting rooms and passcodes on every meeting, because they satisfy the access-control safeguard.
• Do train every workforce member on telehealth etiquette, because the Security Rule mandates ongoing training.
• Do document each patient’s consent to telehealth in the chart, because state licensing boards often require it in addition to HIPAA.

Don’t

• Don’t use free Zoom for patient care, because the BAA is unavailable and the plan lacks required controls.
• Don’t record a session without written patient authorization, because 45 CFR 164.508 requires it for many uses.
• Don’t store recordings on personal cloud drives, because no BAA exists with your personal Google or Dropbox account.
• Don’t share meeting links on social media or shared calendars, because that opens the door to Zoom bombing.
• Don’t assume Zoom’s default settings are HIPAA-ready, because consumer defaults favor ease of joining.

Pros and Cons of Using Zoom for HIPAA Workloads

Pros

• Familiar interface reduces patient training time, which improves visit completion rates.
• Broad device support — iOS, Android, Mac, Windows, Linux — reduces access barriers for vulnerable populations.
• Mature BAA and healthcare plan with documented controls on the Zoom Trust Center.
• Strong audit logging and reporting, supporting the Security Rule’s audit-control requirement.
• Integrations with Epic, Cerner, and other EHRs through the Zoom App Marketplace.

Cons

• Higher licensing cost than purpose-built telehealth apps like Doxy.me’s free tier.
• Feature creep — AI Companion, Team Chat, Notes — can outpace BAA coverage, creating silent violations.
• Default settings require hardening that many small practices miss.
• Cloud recording tempts clinicians into storage practices that exceed BAA scope.
• Zoom’s consumer brand can confuse patients who join from a non-healthcare account.

Named Examples of Compliance and Failure

Dr. Aisha Brooks, a cardiologist in Atlanta, migrated her practice to Zoom Workplace for Healthcare in 2025, signed the BAA, ran a risk analysis, and trained her five-person staff; her OCR desk audit closed without findings.

Tom Nguyen, a licensed marriage and family therapist in Los Angeles, used free Zoom for pandemic-era sessions; when the enforcement discretion ended on May 11, 2023, he failed to migrate, and a 2024 complaint triggered both an OCR investigation and a CMIA class action.

Children’s Health of the Valley, a mid-size hospital, enabled Zoom AI Companion organization-wide before updating its BAA; compliance caught the gap during a quarterly review and filed a corrective action plan, avoiding a reportable breach.

Process: How to Make Your Zoom Calls HIPAA Compliant

Follow each step in order; skipping any step breaks the chain.

1. Purchase the Zoom Workplace for Healthcare plan from the Zoom healthcare sales page.
2. Sign the Business Associate Agreement inside the admin console before any patient call.
3. Run a written risk analysis covering Zoom under 45 CFR 164.308.
4. Harden default settings: passcodes, waiting rooms, disabled PMI, disabled join-before-host, disabled cloud recording unless covered.
5. Enable audit logs and assign a reviewer; document the review cadence in your policies.
6. Train every workforce member annually and on hire, with signed acknowledgments.
7. Publish a telehealth-specific Notice of Privacy Practices updated for video visits.
8. Obtain and document patient consent to telehealth at intake, per your state’s rules.
9. Execute downstream BAAs with any EHR, transcription, or AI vendor linked to Zoom.
10. Review and update your risk analysis whenever Zoom adds a new feature such as AI Companion.

The consequence of skipping step 3 is that OCR will presume willful neglect, per the OCR risk analysis guidance. A misconception is that the risk analysis is a one-time task; it is continuous and must reflect new features and threats.

Key Rulings and Enforcement Recaps

The New Vision Dental resolution agreement shows OCR’s aggressive posture on unauthorized disclosures — a practice that posted patient information online paid a penalty and entered a corrective action plan.

The Doctors’ Management Services ransomware settlement established that a missing risk analysis and inadequate audit controls support a willful-neglect finding, even when the attack vector is a third party.

The Anthem $16 million settlement — still the largest HIPAA penalty on record — anchors the principle that risk-analysis failures drive outsized fines.

State courts have reinforced this trend. The California Court of Appeal in Sutter Health litigation confirmed that CMIA claims survive even without proof of third-party viewing when confidentiality is breached.

Key Entities You Should Know

• HHS Office for Civil Rights (OCR): the federal agency that enforces HIPAA, publishes audit protocols, and negotiates resolution agreements through the OCR enforcement page.
• Zoom Video Communications, Inc.: the vendor; a business associate under Omnibus and subject to direct liability.
• Covered Entity: the clinician, hospital, or health plan that originates the patient relationship.
• Business Associate: any vendor handling ePHI for a covered entity, defined in 45 CFR 160.103.
• State Attorneys General: empowered by HITECH to enforce HIPAA in parallel with OCR.
• NIST: publishes encryption standards that define HIPAA’s “safe harbor” for unsecured PHI in NIST SP 800-111.
• Federal Trade Commission (FTC): enforces the Health Breach Notification Rule for non-HIPAA digital health tools.

FAQs

Is the free version of Zoom HIPAA compliant?

No. Free Zoom cannot be made HIPAA compliant because Zoom will not sign a BAA for free accounts, and several required security features are disabled on that tier.

Does Zoom sign a Business Associate Agreement?

Yes. Zoom signs a BAA, but only with customers on the Zoom Workplace for Healthcare plan or equivalent eligible tier, executed through the admin console.

Is Zoom Phone HIPAA compliant?

Yes. Zoom Phone is HIPAA eligible when included in a healthcare BAA, but voicemails and transcripts must stay inside Zoom’s encrypted storage rather than personal devices.

Can I record a Zoom telehealth session?

Yes. You may record with patient authorization and BAA coverage, but cloud-recording features and storage locations must be explicitly listed in the signed BAA.

Is Zoom AI Companion HIPAA compliant?

Yes. AI Companion is HIPAA eligible only when your BAA specifically covers it; older BAAs signed before AI features launched may not include it, requiring an amendment.

Did the HHS telehealth enforcement discretion still apply in 2026?

No. Enforcement discretion ended on May 11, 2023, and all telehealth visits since then must meet full HIPAA requirements with a signed BAA.

Do state laws like CMIA apply to Zoom calls?

Yes. CMIA, Texas HB 300, New York SHIELD, and Washington MHMDA each apply when a call touches their residents, and many offer private rights of action HIPAA does not.

Is FaceTime or WhatsApp a legal alternative to Zoom for telehealth?

No. Apple and Meta do not sign BAAs for consumer FaceTime or WhatsApp, so using them for patient care creates the same violation as free Zoom.

Can a solo practitioner be fined for a Zoom HIPAA breach?

Yes. OCR routinely fines solo practices; willful-neglect penalties can exceed $71,000 per violation in 2026, and state AGs add parallel claims.

Does encryption alone make Zoom HIPAA compliant?

No. Encryption satisfies one technical safeguard, but the Security Rule also requires risk analysis, training, access controls, audit logs, and administrative policies.

Is a Zoom webinar with patients HIPAA compliant?

Yes. A webinar can be compliant if run under a healthcare BAA with attendee controls, but group visibility of patient names usually requires written authorization.

Do I need patient consent to use Zoom for a visit?

Yes. Most state medical boards and many payers require documented telehealth consent, and HIPAA’s minimum-necessary standard supports documenting the patient’s acknowledgment.