Zoom HIPPA Information

Modified on Mon, 21 Mar 2022 at 10:11 PM

All Naropa Zoom accounts are HIPPA compliant

Zoom HIPPA Information:

-- Zoom has made numerous enhancements to the platform to better serve our customers who need a HIPAA-compliant environment. In particular, the platform has been updated to enable Users to store PHI in the Zoom environment. This new feature will allow users to record and store videos through Zoom. Under the new BAA, Zoom Phone is also HIPAA compliant.

-- Zoom now has a 3rd-party attestation that the platform is HIPAA compliant: Zoom’s HIPAA Attestation means a third party reviewed and affirmed that Zoom implements the controls needed to secure protected health information (PHI) according to the requirements of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, Breach Notification Rule, and the applicable parts of the Privacy Rule.

-- Zoom now has a BAA in place with our cloud storage provider so customer recordings stored in the cloud are stored in a HIPAA-compliant environment.

Of course, our customers have some responsibility for security, too - but most of our customers are familiar with these best practices, such as customers are responsible for the security of the workstations and systems used to generate, process, and store ePHI within their information systems. Customers are responsible for understanding if ePHI will be introduced to the Zoom environment, and to classify and maintain that data appropriately. For example: something a customer should NOT do is include PHI in a support ticket that they send to Zoom.

More information here:

https://support.zoom.us/hc/en-us/articles/207652183-HIPAA-Business-Associate-Agreement-BAA-

https://blog.zoom.us/zoom-features-for-healthcare-hipaa/

Customer Responsibilities: Complementary customer controls are not required, or significant, to achieve the service commitments and system requirements based on the applicable trust services criteria. Zoom recommends that customers maintain the following responsibilities to derive the intended benefits of the services Zoom provides. Your Users probably already use many of these features as their default settings.

1. Use Waiting Rooms: Users can enable a virtual staging area that prevents people from joining a meeting until the host is ready. Meeting host(s) can then admit people in the Waiting Room individually or all at once. This reduces the risk of unauthorized participant(s) from joining the meeting.

2. Lock Your Meetings: After all of your participants have joined your meeting, use the Lock Meeting feature to prevent any other participants from joining the meeting.

3. Control Chat and Screen Sharing: Under the “Allow Participants to:” section, you can enable or disable participants’ ability to use the chat function and share their screens.

4. Remove Participants: If an unauthorized user(s) joined your meeting, you can use the Remove Participant feature, which will remove the user from the meeting and prevent them from re-joining the meeting.

5. Use Two-Factor Authentication: Zoom’s Two-Factor Authentication is a secure way to validate users and protect against security breaches. Users can use authentication apps that support Time-Based One-Time Password protocol (such as Google Authenticator, and FreeOTP), or have Zoom send a code via SMS or phone call as the second factor for the account authentication process.

6. Data Minimization: Limit the transmission of ePHI to only the minimum necessary.

7. Encryption: In certain cases, such as the use of end-to-end encryption capabilities, the customer is required to enable those advanced security features.