Zoom can be secure enough for therapy, but only when the therapist uses the right version and configures it properly. The standard free Zoom account that most people use for work calls and family chats is not designed for healthcare. Therapists need a specific Zoom plan that supports HIPAA compliance, along with a signed Business Associate Agreement (BAA) between their practice (or institution) and Zoom. Without that agreement in place, Zoom has no legal obligation to protect your health information.
What Makes Zoom HIPAA-Compliant
HIPAA is the federal law that governs how your health information is handled. For a platform like Zoom to qualify, two things need to happen: the software itself must have adequate security features, and the organization using it must sign a BAA with Zoom. That agreement makes Zoom contractually responsible for safeguarding any protected health information that passes through the platform.
Zoom offers BAAs to healthcare organizations and licensed providers on its paid plans. Large institutions like universities and hospital systems typically negotiate these agreements at the organizational level. A solo therapist in private practice can also obtain a BAA, but they need to be on an eligible paid plan and actively request it. If your therapist is using a free Zoom account or hasn’t signed a BAA, your sessions aren’t covered by HIPAA protections on Zoom’s end, even if the therapist themselves is bound by HIPAA.
Zoom also provides audit controls designed for HIPAA compliance. The platform logs all connections, which simplifies the audit trail if a breach ever occurs and helps practices demonstrate they’re meeting regulatory requirements.
Encryption and How Your Data Is Protected
Zoom encrypts data in transit, meaning your video and audio are scrambled as they travel between your device and Zoom’s servers. For most therapy sessions, this standard encryption prevents anyone intercepting the connection from seeing or hearing your session.
Zoom also offers end-to-end encryption (E2EE), which goes a step further. With E2EE enabled, even Zoom itself cannot access the content of your call. However, there’s a trade-off: enabling E2EE disables some features, and it may not work through the browser version of Zoom at all, requiring the desktop or mobile app instead. Not every therapist has E2EE turned on, so if this matters to you, it’s worth asking.
Security Features Your Therapist Should Be Using
The biggest real-world risk to a therapy session isn’t a sophisticated hacker. It’s an uninvited person joining the call. Zoom offers several features to prevent this, and a security-conscious therapist should have them enabled.
Passcodes: Every Zoom meeting can require a passcode to join. When your therapist sends you a meeting link, the passcode is typically embedded in it so you can join with a single click. But if someone tries to enter the meeting by typing in the meeting ID manually, they’ll also need the passcode. This alone blocks most unauthorized access.
Waiting rooms: This feature lets the therapist see who is trying to join before admitting them. Instead of participants dropping straight into the session, they sit in a virtual lobby until the therapist lets them in. This prevents anyone from joining early or slipping into a session unnoticed.
Locking the meeting: Once both you and your therapist are in the session, the therapist can lock the meeting entirely so no one else can join, even with the correct link and passcode.
If your therapist sends you a Zoom link without a passcode and you land directly in the session with no waiting room, that’s a sign their security settings could be tighter.
What Happens If Sessions Are Recorded
Most therapists do not record sessions, but some may ask your permission to do so for clinical or training purposes. If a recording is stored in Zoom’s cloud, it’s subject to a standard 60-day retention period on HIPAA-compliant accounts, after which the files are automatically deleted. Your therapist would need to download any recordings within that window if they want to keep them longer.
The important detail here is where those downloaded recordings end up. Not every storage platform is HIPAA-compliant. A recording saved to a personal Google Drive or a non-compliant video server could create a privacy gap even if the Zoom session itself was secure. If your therapist records sessions, you’re within your rights to ask where and how those recordings are stored.
What You Can Do on Your End
Your therapist controls the Zoom settings, but half of the privacy equation is on your side. The most common way therapy content gets exposed isn’t through a platform breach. It’s through someone in your physical environment overhearing or seeing your screen.
Use headphones so your therapist’s voice isn’t audible to anyone nearby. Choose a private room with a closed door when possible. If you’re in a shared space, even a parked car with the windows up is better than a living room where someone could walk in. Avoid using a shared or work computer for sessions, since browser history, cached data, or screen-sharing notifications could inadvertently reveal that you’re in therapy.
The Zoom desktop app and mobile app generally offer more security features than the browser version. End-to-end encryption, for instance, may only be available through the app. If your therapist has E2EE enabled and you try to join through a browser, you might not be able to connect at all. Installing the app also gives you more control over audio and video settings before joining.
How to Tell If Your Therapist’s Setup Is Secure
You don’t need to understand the technical details to get a sense of whether your therapist takes telehealth security seriously. A few practical signs to look for:
- They use a paid, professional Zoom account. The meeting link should come from a consistent, professional-looking Zoom URL, not a personal meeting ID that never changes.
- You encounter a waiting room or passcode. Both of these indicate the therapist has configured basic meeting security.
- They mention HIPAA compliance. Many therapists include a telehealth consent form at intake that specifically addresses the platform they use and how your data is protected. If you haven’t seen one, ask.
- They don’t use the free version. Free Zoom accounts cannot have a BAA, which means they fall outside HIPAA’s platform-level protections entirely.
Zoom is not the only option for teletherapy. Platforms like Doxy.me, SimplePractice, and TherapyNotes were built specifically for healthcare and come with HIPAA compliance built in from the start. Some therapists prefer these because there’s less configuration involved. But a properly set up Zoom account with a signed BAA, encryption enabled, and meeting security features turned on provides a comparable level of protection. The platform matters less than whether your therapist has taken the steps to configure it correctly.