Zoom can be HIPAA compliant, but only if you’re on a paid plan and sign a Business Associate Agreement (BAA) with Zoom. The free version of Zoom does not qualify. Once the BAA is in place, Zoom takes responsibility for keeping patient information secure and reporting any security breaches involving protected health information (PHI). Without that agreement, using Zoom for telehealth visits or any conversation involving patient data is a HIPAA violation.
What Makes Zoom HIPAA Compliant
HIPAA doesn’t certify software. Instead, it requires that any third-party service handling patient data sign a BAA, a legal contract that obligates the vendor to protect that data and notify you if it’s ever breached. Zoom offers this agreement to healthcare customers on eligible paid plans.
Once the BAA is signed, Zoom encrypts all audio, video, and screen sharing data. The HIPAA-configured version of Zoom also automatically adjusts several default settings to reduce the risk of PHI leaking outside the platform. Cloud recordings are disabled, in-meeting file transfers are turned off, auto-saving of chat logs is disabled, and remote control of screens is blocked. These restrictions exist to prevent patient data from being transmitted to or stored in a non-compliant environment.
Chat messages within meetings are still available but use end-to-end encryption, meaning only the intended recipient can read them. Users can send files, pictures, and screenshots through encrypted chat, though some features like the GIF library and message editing are turned off. If you need a record of the chat, you can save it manually before the meeting ends, but it won’t be saved automatically.
Which Plans Qualify
You need at least a Workplace Pro plan, which currently costs $14.16 per user per month when billed annually. Higher-tier plans, including Workplace Business, Business Plus, and Enterprise, also support HIPAA compliance but require you to contact Zoom’s sales team for pricing and to execute the BAA.
The free tier of Zoom does not support a BAA and cannot be used for any interaction involving patient health information.
How to Sign the BAA
The process depends on whether you’re buying a new plan or already have one.
If you’re purchasing a Pro plan for the first time, you can sign the BAA during checkout. On the checkout page, select “United States Agreement (BAA)” in the business country dropdown, review the agreement, and accept. For Business, Business Plus, or Enterprise plans, you’ll need to contact Zoom’s sales team to sign the BAA separately.
If you already have a qualifying paid plan but haven’t signed a BAA yet, sign in to the Zoom web portal, go to Plans and Billing, then Plan Management. Scroll to the “Discover our other popular products” section, click “view more products,” and look for the Business Associate Agreement option. Click Enable, review the agreement, and accept. Canadian customers will see an option for a Personal Health Information Annex (PHIA) instead.
Once the BAA is executed, Zoom states that no additional manual configuration is required. The platform automatically applies HIPAA-appropriate settings to your account.
What You’re Still Responsible For
Signing the BAA makes Zoom responsible for its infrastructure, encryption, and breach reporting. But HIPAA compliance is a shared responsibility, and several things fall squarely on the person hosting the meeting.
You should never list a meeting publicly if it could involve patient information. Every meeting should require a password, which you set when scheduling by checking “Require meeting password” and choosing a password. Participants will need to enter this password to join, and you can include it in the meeting invitation sent to your patient.
Recordings are another area where your responsibility matters. Because cloud recording is disabled on HIPAA-compliant Zoom accounts, any recording you make will be saved locally to your computer. That local file should be treated as PHI and stored in a secure, encrypted folder, not left on your desktop or in an unprotected directory.
Other practical steps include using waiting rooms to screen participants before they enter, locking the meeting once all expected attendees have joined, and avoiding screen sharing of any documents containing patient information unless necessary. The platform gives you the security tools, but you have to actually use them.
What’s Disabled in HIPAA Mode
It’s worth understanding exactly what changes when your Zoom account is configured for HIPAA, because some features you’re used to will no longer work.
- Cloud recordings: Completely disabled. All recordings must be saved locally and secured on your device.
- In-meeting file transfer: Participants cannot share files through the meeting chat window.
- Auto-saving chats: Chat logs are not automatically saved. You must manually save them before the meeting ends if you need a record.
- Remote control: The ability for one participant to control another’s screen is turned off.
- GIF library and message editing: Within encrypted chat, you cannot search GIFs or edit messages after sending them.
These restrictions can feel inconvenient, but each one closes a specific pathway through which PHI could end up in an unsecured location. If your organization needs any of these features re-enabled for non-clinical meetings, you’d typically need a separate Zoom account or group that isn’t under the HIPAA configuration.
Common Mistakes That Break Compliance
The most frequent issue isn’t a technical failure. It’s using a personal or free Zoom account for a telehealth session because the HIPAA-compliant account wasn’t set up yet or seemed like too much hassle. Without the BAA, there is no legal obligation for Zoom to protect that data, and the healthcare provider is fully liable.
Another common mistake is recording a session to the cloud out of habit. On a properly configured HIPAA account this won’t be possible, but if the account settings were never switched or the provider is using the wrong account, cloud recordings could store unencrypted patient conversations on Zoom’s servers without the proper safeguards.
Sharing meeting links on social media or public websites, skipping passwords, and letting patients forward meeting links to unauthorized people are all avoidable risks. The technology side of compliance is largely handled by Zoom once the BAA is signed. The human side is where most violations happen.

