Zoom Meetings for HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) lays out privacy and security standards that protect the confidentiality of patient health information. In terms of video conferencing, the solution and security architecture must, among other controls, provide end-to-end encryption and meeting access controls so data in transit cannot be intercepted
Who Should Use?
If you interact with the following types of data, you may need to use additional security features and settings:
- Protected Health Information (PHI) is any health information that can identify an individual, or is derived from identifiable information.
Although you may not interact with PHI or other protected level 1 data types, it is still important to maintain privacy while using Zoom, see additional Zoom privacy settings.
Key Benefits
The SDSU Zoom instance is HIPAA certified. However, to maintain the necessary, compliance must be added to a Zoom group, which enforces specialized security features and settings by default. Users who currently need Zoom/HIPAA security and privacy safeguards (e.g., disabling auto-saving chats, disabling cloud recordings, disabling file transfers, and disabling remote control) should create an SDSU ServiceNow ticket to be added to the Zoom HIPAA group.
additional security features and settings
| Feature | Description | IT Security Office Recommendation | Reason | Implication |
|---|---|---|---|---|
| Device/User Information | Device/user logging and reporting information is removed. | Enabled | Prevent data from being transmitted to or stored on a non-compliant endpoint or environment. | Session data will not be stored. |
| Encrypted Chats | All chats and text messages will be encrypted. | Enabled | End-to-End Chat Encryption allows for a secured communication where only the intended recipient can read the secured message. | With end-to-end encrypted chat enabled, users can still send files, pictures, emojis, and screenshots. However, they will not be able to use the integrated GIPHY library, edit sent messages, or search chat message history. |
| Auto-Saving Chats | Automatically save all in-meeting chats so that hosts do not need to manually save the text of the chat after the meeting starts. | Disabled | Prevent data from being transmitted to or stored on a non-compliant endpoint or environment. | Chats can be saved manually before the meeting ends. |
| Cloud Recordings | Record meetings and automatically process and store them in the cloud. | Disabled | Required by Zoom. | Automatic transcripts and automatic recording upload are unavailable. |
| Require Encryption for 3rd Party Endpoints (H323/SIP) | Zoom requires encryption for all data between the Zoom cloud, Zoom client, and Zoom Room. Require encryption for 3rd party endpoints (H323/SIP). | Mandatory | Required by Zoom. | Participants may be unable to join meetings from SIP devices. |
| File Transfer | Hosts and participants can send files through the in-meeting chat. | Disabled | Prevent data from being transmitted to or stored on a non-compliant endpoint or environment. | Participants will not be able to share files during the in-meeting chat |
| Identify Guest Participants in the Meeting/Webinar | Participants who belong to your account can see that a guest (someone who does not belong to your account) is participating in the meeting/webinar. | Mandatory | Improved awareness of who is currently in a meeting that may contain sensitive data. | Hosts and co-hosts can verify the person or entity seeking access. |
| Live Streaming the Meetings | Allow hosts to live stream their meetings to Workplace by Facebook or Custom Live Streaming Service. | Disabled | Prevent Restricted Use Data from being transmitted or stored in non-approved environments. | No live streaming would be available for Zoom HIPAA Meetings. |
| Play Sound When Participants Join or Leave | Sound will be heard by the host and attendees when participants join or leave. | Enabled | Improved awareness of who is currently in a meeting that may contain sensitive data. | Hosts and co-hosts can verify the person or entity seeking access. |
| Remote Control | During screen sharing, the person who is sharing can allow others to control the shared content. | Disabled | Prevent unauthorized access to endpoints with HIPAA or Restricted Use Data. | Hosts do not have the ability to take control of a participant’s screen and a participant cannot grant a host control of their screen. |
| Remote Support | Allow the meeting host to provide 1:1 remote support to another participant. | Disabled | Prevent unauthorized access to endpoints with HIPAA or Restricted Use Data. | Remote Support sessions are not enabled. |
| Far-End Camera Control | Allow another user to take control of your camera during a meeting. | Disabled | Prevent unauthorized access to endpoints with HIPAA or Restricted Use Data. | The host of the meeting is the only user that can request far end camera control. |
| Waiting Room | Guests cannot join a meeting until a host admits them individually from the waiting room. | Enabled | Prevent unknown guests from joining meetings that may contain sensitive data. | The option for attendees to join the meeting before the host arrives is disabled. |
Get Help
To request a service, create a ServiceNow Ticket and assign the ticket to “IT-ITSO-Help Desk”. Connect with us at [email protected] for security-related-questions, consulting, and incident reporting.
Report an Incident
Please contact the Information Security team immediately if you experience or are aware of any of the following: