Is Zoom HIPAA Compliant?
- February 17, 2022
- Posted by: Srestha Roy
- Category: Healthcare Compliance
As Covid 19 surged in, the US Department of Health and Human Services published recommendations on telehealth remote communications in March of 2020.
This new regulation makes telemedicine momentarily more accessible by waiving penalties for HIPAA violations committed “in good conscience” by a provider.
In other words, until further announcements, all Zoom plans, including free and pro, can be utilized under HIPAA, as not earlier but it has become compliant and what was going wrong.
Zoom was not designed for healthcare, and it lacked elements that were intended expressly to aid in the treatment of patients online, as well as the storage of patient data.
As a result, HIPAA security and privacy standards were not considered when Zoom was built. So, how did they comply with HIPAA?
To address it, we must first grasp the following points that repurposed zoom to be suitable to HIPAA Compliance.
How Zoom Enables HIPAA Compliance – Breaking Down the Requirements
1. Access Control
The Advanced Encryption Standard (AES) is used by Zoom to encrypt data in motion at the application layer (AES). In this, the admin, owner, and user access controls are all multi-layered members.
Access to the web and mobile applications is restricted. Email address and password is necessarily confirmed. The password-protected meeting access is password-protected or a waiting area that is at par with the HIPAA Compliance Policies.
Zoom does not publish meeting schedules. Zoom makes use of a redundant and distributed network to provide a high level of availability and security redundancy. This helps to maintain the accessibility as required in HIPAA-compliant software.
Organizations can choose from a variety of data center regions. Information flows on its way to your account. The data at the rest storage location is unaffected. The meeting host can quickly dismiss or dismiss attendees.
You can control your session with privacy features. Individual or group admission for attendees.
Individual or group entry, waiting rooms, mandatory meeting test passcodes, and closed room capabilities are all privacy features that allow you to regulate session attendee admission.
This allows Zoom to meet the standards of HIPAA compliance and leverage its usage among healthcare practitioners and patients.
2. Audit Controls
Zoom’s safe and scalable infrastructure transports data in motion. For sound and reliability considerations, all the platform interactions are logged. This ensures audit control for the healthcare professionals or the patients and thus meet the HIPAA standards.
The Physicians and the doctors can act as account administrators with added security to manage administration at the personal, group, and organizational levels.
3. Integrity Mechanism
Zoom protects the data and service layers with multilayer integration protection. There are safeguards in place to preserve and encrypt meeting information. Moreover, digital signatures are used to verify the integrity of application executables.
TLS 1.2 encryption and PKI certificates issued by a trusted commercial certificate authority are used to secure data connections. Access to the web and applications is restricted by a validated email address and password.
This technique aids in the authentication of electronically protected health data. Also, the methods used to verify that the data is safe and unaltered.
4. Person or Entity Authentication
Zoom practices the entity authentication standards as per the HIPAA guidelines, by giving doctors and physicians access to the web and applications which is restricted by a validated email address and password.
The meeting host must use a distinct email address and account password to connect to Zoom.
The host can restrict access to the desktop or window for screen sharing. Individual or group entry, waiting rooms, mandatory meeting passcodes, and closed room capabilities are all available as privacy options.
5. Transmission Security
Zoom manages to keep up with the HIPAA standards by ensuring the protection of electronic health information maintained on the platform. The electronic health records are protected by using 256-bit AES-GCM encryption.
Encryption aids in the protection of health data. Integrity controls ensure that patient information isn’t changed in an unauthorized way.
Zoom For Healthcare
Zoom for Healthcare is a web-based digital healthcare video conferencing solution that enables patients to interact with their healthcare provider from anywhere in the world using their mobile device, tablet, or personal computer.
It has authentication measures in place. Authentication entails putting procedures in place to ensure that an entity requesting access to electronically protected health information is who he or she tries to claim.
Zoom supports two types of authentication: OAuth 2.0 for validating a user background and JSON Web Tokens (JWT) for verifying server-to-server apps.
A study on zoom states that JWT authentication is best used for sending data to and from Zoom between trusted services or servers.
Zoom for healthcare has access control measures in place which are required by the Security Rule to govern who or what can view or use resources.
Zoom for Healthcare is the only HIPAA-compliant conference call provider in the market that makes it possible for a large number of participants in a HIPAA-compliant environment, making it an interesting choice for organizations that have collaboration and coordination, undertake periodic employee training, or need to share information with service users’.
To top it all off, the protection behind the HIPAA-compliant Zoom for Healthcare was crafted with PHI in mind, guaranteeing that while it transmits it, Zoom does not have direct exposure to it.
Pros And Cons Of Zoom
How can you determine if Zoom is the best telehealth solution for you when there are so many options? Let’s take a look at some of the advantages and disadvantages of the popular video conferencing software.
Zoom’s Advantages in Healthcare
- Zoom acts perfectly Compliant with HIPAA thus leveraging more and more adoption by healthcare professionals.
- It allows for group supervision to have all the records in one place and streamline available resources to the practitioner’s needs.
- It allows for group supervision to have all the records in one place and streamline available resources to the practitioner’s needs.
- Zoom enables Video calls of excellent quality so that the practitioner and their patient do not feel any challenge in communicating with each other and thus retains transparency between the two while consultations or treatments.
- Zoom also utilizes a framework for patient privacy, by installing a waiting area so that there is no discomfort among patients.
Zoom’s Drawbacks in Healthcare
- Monthly payments of $200 or more can be prohibitively expensive.
- Not for supervision, but for client care.
Integrating Zoom With An API
According to a recent article, Zoom has gained tremendous traction in recent months, with several prominent health care companies integrating Zoom with their EMR platform to start Televisits between clinicians and patients.
Simple and rugged telehealth APIs are available on the platform, allowing for seamless connection with existing EMR platforms.
More crucial than the integration is indeed creating a proper tele-visit workflow, which includes organizing the visit, presenting the visits in the right bookings in your EMR on mobile and desktop, and offering a suitable interface in the provider and patient portals/apps.
If you’re thinking about connecting Zoom with your EMR, pay special attention to the processes because the connection with Zoom will be simple!
Let’s take a closer look at these APIs and how they work.
1. Televisit APIs
If you already have a Zoom collaboration deployment, you might want to consider setting up a separate account for tele-visits.
Tele-visits may necessitate various account-level settings (such as allowing HIPAA), and you may want to get periodic reports that only include those tele-visit sessions.
Zoom has it all covered through its integration and API. It is also implementing another consolidated level customization feature soon, which will be quite useful.
2. Waiting Room or Meeting Lobby Indicator
Zoom is looking towards customizing the waiting room so you may upload a custom image or change the wording that patients see as they wait for the clinician.
It’s a typical application for the provider to see if the patient is already in the interview period waiting.
Go to your Zoom account integrations page (https://zoom.us/account/integration), choose Epic, and set the callback URL.
It’s worth noting that this isn’t exclusive to Epic and may be utilized as a Zoom notice response with any EMR.
3. Security
This application auto-generates and encrypts a password for the tele-visit session when you construct the meeting URL, so nobody else can enter even if they know the session id. The URL that Zoom sends back to the EMR includes this security code.
Every time you visit the URLs, this passcode will be refreshed. Zoom has no accessibility to the client or practitioner’s identity (emails, contact information, labels, etc.).
End-to-end AES 256 encryption is used for all video and audio communication. The credentials which you use for tele-visit, can also be deactivated and annotated.
The API is structured in a way that the first and last names that are cleared in the URL are discretionary, and they are only used to exhibit the titles under the preview pane, and they are not stored.
4. Licensing
These televisit APIs are provided free of charge. All you need is a zoom account that is paid and has adequate host licenses for the providers.
For the time being, the zoom doesn’t offer a developer-only membership for testing, so you’ll have to either pay for a Zoom subscription or use one you already have. Zoom is also working on making free programmer accounts available, which will be readily accessible soon.
What Else Does Zoom Do To Keep You Safe?
If you’re a healthcare professional who wants to use Zoom to continue providing healthcare to your patients, you’ll need to first sign a Business Associate Agreement that authorizes Zoom to let you have the confidentiality and privacy you require.
You might be curious about what else has been done to ensure safety. When you sign this contract, you will receive the following security features:
- As calls during consultation cannot be retained and information from such calls cannot be kept after the call has ended, cloud recording has been disabled for all calls.
- The encrypted conversation will be enabled. This is vital because you don’t want someone who has broken into your chats to see any of your personal information. This is how HIPAA protects your personal information from being shared in any way.
- You can require third-party security to make sure that the information of everyone else who enters the call is encrypted. If two counselors or specialists are all on the same call, this may be necessary.
- You won’t be able to see your doctor in the same unit, but you will be able to view them all on a video call.
- The call’s text communications will be encrypted.
- After you’ve used the encryption keys exchange, offline communications will be read-only.
Bottom Line
Zoom is safe to use and securely encrypted and can be used to get the medical attention you need. Zoom’s commitment to HIPAA compliance is critical for you since it is the only method to secure your safety while using the program to receive medical care.
Zoom’s commitment to HIPAA compliance is critical for you since it is the only method to secure your safety while using the program to receive medical care.
Just make sure your healthcare professional has executed a Business Associate Contract with Zoom, which guarantees you’ll be able to meet with experts, physicians, counselors, and other healthcare experts using HIPAA-compliant video conferencing.