Zoom Meetings for HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) lays out privacy and security standards that protect the confidentiality of patient health information. In terms of video conferencing, the solution and security architecture must, among other controls, provide end-to-end encryption and meeting access controls so data in transit cannot be intercepted

Who Should Use?

If you interact with the following types of data, you may need to use additional security features and settings:

  • Protected Health Information (PHI) is any health information that can identify an individual, or is derived from identifiable information.

Although you may not interact with PHI or other protected level 1 data types, it is still important to maintain privacy while using Zoom, see additional Zoom privacy settings.

Key Benefits

The SDSU Zoom instance is HIPAA certified. However, to maintain the necessary, compliance must be added to a Zoom group, which enforces specialized security features and settings by default. Users who currently need Zoom/HIPAA security and privacy safeguards (e.g., disabling auto-saving chats, disabling cloud recordings, disabling file transfers, and disabling remote control) should create an SDSU ServiceNow ticket to be added to the Zoom HIPAA group.

additional security features and settings

Feature Description IT Security Office Recommendation Reason Implication
Device/User Information Device/user logging and reporting information is removed. Enabled Prevent data from being transmitted to or stored on a non-compliant endpoint or environment. Session data will not be stored.
Encrypted Chats All chats and text messages will be encrypted. Enabled End-to-End Chat Encryption allows for a secured communication where only the intended recipient can read the secured message. With end-to-end encrypted chat enabled, users can still send files, pictures, emojis, and screenshots. However, they will not be able to use the integrated GIPHY library, edit sent messages, or search chat message history.
Auto-Saving Chats Automatically save all in-meeting chats so that hosts do not need to manually save the text of the chat after the meeting starts. Disabled Prevent data from being transmitted to or stored on a non-compliant endpoint or environment. Chats can be saved manually before the meeting ends.
Cloud Recordings Record meetings and automatically process and store them in the cloud. Disabled Required by Zoom. Automatic transcripts and automatic recording upload are unavailable.
Require Encryption for 3rd Party Endpoints (H323/SIP) Zoom requires encryption for all data between the Zoom cloud, Zoom client, and Zoom Room. Require encryption for 3rd party endpoints (H323/SIP). Mandatory Required by Zoom. Participants may be unable to join meetings from SIP devices.
File Transfer Hosts and participants can send files through the in-meeting chat. Disabled Prevent data from being transmitted to or stored on a non-compliant endpoint or environment. Participants will not be able to share files during the in-meeting chat
Identify Guest Participants in the Meeting/Webinar Participants who belong to your account can see that a guest (someone who does not belong to your account) is participating in the meeting/webinar. Mandatory Improved awareness of who is currently in a meeting that may contain sensitive data. Hosts and co-hosts can verify the person or entity seeking access.
Live Streaming the Meetings Allow hosts to live stream their meetings to Workplace by Facebook or Custom Live Streaming Service. Disabled Prevent Restricted Use Data from being transmitted or stored in non-approved environments. No live streaming would be available for Zoom HIPAA Meetings.
Play Sound When Participants Join or Leave Sound will be heard by the host and attendees when participants join or leave. Enabled Improved awareness of who is currently in a meeting that may contain sensitive data. Hosts and co-hosts can verify the person or entity seeking access.
Remote Control During screen sharing, the person who is sharing can allow others to control the shared content. Disabled Prevent unauthorized access to endpoints with HIPAA or Restricted Use Data. Hosts do not have the ability to take control of a participant’s screen and a participant cannot grant a host control of their screen.
Remote Support Allow the meeting host to provide 1:1 remote support to another participant. Disabled Prevent unauthorized access to endpoints with HIPAA or Restricted Use Data. Remote Support sessions are not enabled.
Far-End Camera Control Allow another user to take control of your camera during a meeting. Disabled Prevent unauthorized access to endpoints with HIPAA or Restricted Use Data. The host of the meeting is the only user that can request far end camera control.
Waiting Room Guests cannot join a meeting until a host admits them individually from the waiting room. Enabled Prevent unknown guests from joining meetings that may contain sensitive data. The option for attendees to join the meeting before the host arrives is disabled.

Get Help

To request a service, create a ServiceNow Ticket and assign the ticket to “IT-ITSO-Help Desk”.

IT Security Office
Administration Building
https://it.sdsu.edu/get-help

Report an Incident

Please contact the Information Security team immediately if you experience or are aware of any of the following: