No, Zoom’s free plan is not HIPAA compliant. Zoom only signs a Business Associate Agreement, which is legally required for HIPAA compliance, with customers on paid plans. Without a BAA in place, using Zoom to discuss or transmit protected health information violates HIPAA rules, regardless of how you configure the software.
Why the Free Plan Falls Short
HIPAA requires any technology vendor that handles protected health information (PHI) to sign a Business Associate Agreement with the healthcare provider. This contract makes the vendor legally responsible for safeguarding patient data. Zoom explicitly limits BAA eligibility to its Pro, Business, Business Plus, Enterprise, and other paid tiers listed on its pricing page. The free (Basic) plan is not included.
This distinction matters more than it might seem. Even though free Zoom uses the same encryption and interface, a BAA is not optional under HIPAA. It’s a legal document that defines how the vendor will protect data, report breaches, and limit how information is used. Without one, a healthcare provider carries full liability for any data exposure that occurs during a session.
The COVID-Era Exception Is Over
During the pandemic, the HHS Office for Civil Rights temporarily relaxed enforcement, allowing providers to use non-HIPAA-compliant video tools for telehealth without penalty. That enforcement discretion expired on May 11, 2023, with a 90-day transition period that ended on August 9, 2023. Providers are now expected to be fully compliant with HIPAA rules for all telehealth visits. If you were previously using free Zoom under that temporary flexibility, that protection no longer applies.
What a Paid Plan Costs
The most affordable HIPAA-eligible option is Zoom’s Workplace Pro plan, which starts at $14.16 per month per user when billed annually. After subscribing, you still need to contact Zoom to execute a BAA before using the platform for any patient-related communication. Simply paying for the plan does not automatically make your account HIPAA compliant.
Configuration Settings That Compliance Requires
Signing a BAA and paying for a plan is only the first step. Zoom must also be configured with specific security settings to meet HIPAA standards. Several default features need to be turned off, and others need to be enabled. Getting this wrong can still result in a violation even with a paid account and a signed BAA.
Key settings for a HIPAA-compliant Zoom account include:
- Waiting rooms: Must be enabled so no one enters a session without the host admitting them individually. The option for attendees to join before the host should be disabled.
- Cloud recording: Must be disabled. Zoom requires this setting off for HIPAA accounts, and automatic transcription becomes unavailable.
- File transfer in chat: Must be disabled to prevent patient data from being stored on non-compliant devices.
- Auto-saving chats: Must be disabled. Chats can still be saved manually before a meeting ends, but automatic saving creates compliance risk.
- Live streaming: Must be disabled entirely, including streaming to Facebook or custom services.
- Guest identification: Must be turned on so hosts can see when someone outside their organization is in the meeting.
- Join/leave sounds: Must be enabled so hosts are aware when participants enter or exit.
- Third-party endpoint encryption: Must be required for any connections from external devices.
What Zoom Encrypts on Paid Plans
Zoom uses 256-bit AES-GCM encryption across all paid plans, covering video, audio, keystrokes, and screen shares. Multi-layered access controls are built in: accounts require verified emails and passwords, meetings are password-protected by default, and automatic meeting timeouts prevent sessions from staying open indefinitely. These protections apply to all paid tiers, not just healthcare-specific plans.
Healthcare-Specific Features on Paid Plans
Beyond basic video conferencing, Zoom’s paid healthcare plans offer integrations with major electronic health record systems like Epic, Cerner, and Ellkay. The Epic integration, for example, lets providers launch a Zoom visit directly from within the EHR, get notified when a patient joins, and continue documenting notes during the call. Zoom Phone, available as an add-on, lets staff make and receive patient calls with a consistent caller ID, protecting personal phone numbers. Automated text message reminders for appointments are also available through scheduling integrations.
These features are designed for clinical workflows and go well beyond what the free plan offers, but they’re not required for basic HIPAA compliance. A solo practitioner doing straightforward telehealth visits can meet HIPAA requirements with a properly configured Pro plan and a signed BAA.
Who Bears the Responsibility
Even with a paid plan, a signed BAA, and correct settings, HIPAA violations can still occur through user behavior. Disclosing more patient information than necessary during a call, allowing unauthorized people into a session, or failing to verify participant identity are all provider-side violations that Zoom’s technology cannot prevent. The covered entity, meaning the healthcare provider or organization, is ultimately responsible for ensuring the platform is used in compliance with HIPAA’s privacy and security rules.