Is Zoom HIPAA Compliant? BAA Requirements and Telehealth Setup for 2026
Is Zoom HIPAA compliant? Conditionally, yes. Zoom can be used in a HIPAA-compliant manner, but only if you are on a qualifying paid plan, have a signed Business Associate Agreement (BAA) in place, and configure the platform with specific security settings enabled. Without all three of those conditions met, using Zoom for telehealth or any communication involving protected health information (PHI) violates HIPAA. This article, current as of July 2026, provides the exact steps healthcare organizations need to follow.
TL;DR
- Zoom offers a signed BAA, but only on Zoom Workplace Business, Enterprise, or the dedicated Zoom for Healthcare plan; the free and Pro tiers do not qualify.
- A signed BAA alone does not make your Zoom use compliant; you must also disable specific features (such as cloud recording without encryption controls, third-party AI companions, and live transcription storage) that could expose PHI.
- HHS OCR online tracking guidance applies to any Zoom integration with your website, meaning embedded scheduling widgets or Zoom-linked pixels can create PHI exposure if tracking tools fire on those pages.
- Zoom for Healthcare includes additional features like waiting rooms with custom branding, EHR integrations, and granular admin controls that simplify compliance compared to the general business plans.
- If you run paid advertising that drives patients to Zoom-based telehealth appointments, your tracking and analytics layer (not just Zoom itself) must be HIPAA compliant.
What Zoom Does With Patient Data
Zoom processes several categories of data during a telehealth session: audio and video streams, chat messages, files shared in-session, meeting metadata (participant names, email addresses, join/leave times, IP addresses), and any recordings stored in Zoom's cloud. Under a signed BAA, Zoom agrees to treat this data as PHI and applies administrative, technical, and physical safeguards as required by the HIPAA Security Rule.
However, Zoom also operates features that sit outside the BAA's scope. Zoom's AI Companion, third-party app marketplace integrations, and certain analytics dashboards may process data in ways that are not covered by the BAA. The critical distinction is this: the BAA covers the core Zoom Meetings (and Zoom Phone, if included) service, but not every adjacent feature within the platform.
BAA Availability and Plan Requirements
Zoom makes its BAA available on the following plans (confirm current terms with the vendor, as plan names and bundling can shift):
- Zoom Workplace Business (formerly Zoom Business)
- Zoom Workplace Enterprise
- Zoom for Healthcare (a vertically packaged plan with pre-configured compliance settings)
The BAA is not available on the free Basic plan or the Pro plan. If your practice is currently on a Pro subscription, you do not have BAA coverage regardless of how carefully you configure settings.
To request the BAA, account administrators typically initiate the process through the Zoom admin portal or by contacting Zoom's sales team. The BAA is a clickthrough agreement on qualifying plans, meaning it does not require custom legal negotiation in most cases. Keep a signed copy in your compliance records alongside your other vendor BAAs.
As outlined in our guide on why a BAA alone is no longer enough under updated HIPAA Security Rule requirements for marketing vendors, the BAA is a necessary but insufficient condition. You remain responsible for configuring the tool correctly and verifying that the vendor's technical controls meet the Security Rule's implementation specifications.
Zoom Telehealth HIPAA Settings: What to Enable and Disable
Once you have the BAA signed, you need to configure your Zoom account at the admin level. These settings apply to all users under your organization's account.
Settings to Enable
- End-to-end encryption (E2EE) for meetings: Available on BAA-eligible plans. Enable this for all telehealth sessions. Note that E2EE disables some features like cloud recording and breakout rooms; plan workflows accordingly.
- Waiting rooms: Prevents patients from entering a session before the provider is ready, reducing the risk of unauthorized access.
- Meeting passcodes: Require passcodes for all meetings, not just scheduled ones.
- Authenticated users only: Restrict meeting joins to users who are signed in to a Zoom account within your organization's domain (for provider-side access).
- AES-256 encryption in transit: This is on by default for BAA accounts, but verify it in the Security section of your admin dashboard.
- Automatic session timeouts: Configure idle timeout settings to end unattended sessions.
Settings to Disable or Restrict
- Cloud recording (unless encrypted and access-controlled): If you must record sessions, restrict access to recordings to authorized users only, enable password protection on recordings, and disable the "share recording via link" feature. Better yet, store recordings in your own HIPAA-compliant storage rather than Zoom's cloud.
- AI Companion and smart meeting summaries: Zoom's AI features process meeting content through models that may not be covered by your BAA. Disable these at the admin level for all healthcare-related meetings.
- Third-party integrations and apps: Disable the ability for users to install Zoom Marketplace apps that have not been individually vetted for HIPAA compliance.
- Live transcription saving: If transcription is enabled for accessibility, ensure transcripts are not stored in locations outside your BAA-covered environment.
- Attention tracking: This feature has been deprecated but if any legacy setting exists, disable it.
- File transfer in chat: Restrict or disable in-meeting file transfer to prevent PHI from being shared through an uncontrolled channel.
HHS OCR Guidance and Telehealth Platforms
The HHS Office for Civil Rights issued guidance in December 2022 (updated in 2023) clarifying that online tracking technologies on healthcare websites and apps can create impermissible PHI disclosures. While that guidance focused primarily on website pixels and cookies, its principles extend to any technology that transmits identifiable health information to third parties without proper authorization.
For Zoom specifically, this means: if your website embeds a Zoom scheduling widget, and that page also fires Meta Pixel, Google Analytics, or other tracking scripts, the combination of a patient's identity (via login or form fill) with the context of a healthcare appointment constitutes PHI under OCR's interpretation. The scheduling page itself becomes a compliance risk point.
This is where many telehealth practices fail. They correctly configure Zoom itself, but neglect the tracking layer surrounding it. A patient who clicks a Facebook ad for therapy services, lands on a page with a "Book Zoom Appointment" button, and has their visit tracked by Meta's pixel has had their PHI disclosed to Meta without authorization.
For practices running digital advertising, the tracking and analytics infrastructure matters as much as the telehealth platform. Our detailed walkthrough on HIPAA-compliant Google Tag Manager setup covers how to structure server-side containers that prevent PHI leakage on healthcare pages, including appointment scheduling flows.
Telehealth Advertising and Tracking Compliance
Many telehealth providers use paid media (Google Ads, Meta, Microsoft Advertising) to acquire patients. The conversion tracking required to optimize these campaigns creates a separate compliance obligation from the Zoom configuration itself.
If a patient converts by booking a Zoom telehealth appointment, and your conversion pixel fires on the confirmation page, you are transmitting data to an ad platform that links an individual's identity to a healthcare service. Under the HIPAA Privacy Rule and OCR's tracking guidance, this is a disclosure of PHI to a non-business-associate third party.
Practices advertising telehealth services, particularly in sensitive specialties like mental health, addiction treatment, or reproductive health, face heightened scrutiny. The FTC's enforcement actions against BetterHelp and GoodRx demonstrated that even companies not traditionally classified as HIPAA-covered entities face consequences for sharing health-related data with advertising platforms. For covered entities (providers, health plans), the risk is both an HHS OCR enforcement action and state-level liability under laws like Washington's My Health My Data Act (MHMDA).
If you are a med spa or aesthetic practice advertising telehealth consultations, our guide on HIPAA-compliant Facebook advertising for med spas covers campaign structures that avoid these pitfalls. For broader Meta advertising compliance, see our breakdown of 2026 Meta restrictions for medical spas.
Safe-Use Checklist for Zoom Telehealth
Before Your First Patient Session
- Confirm you are on Zoom Workplace Business, Enterprise, or Zoom for Healthcare plan.
- Execute the BAA through your Zoom admin portal and store a copy in your compliance documentation.
- Disable AI Companion, third-party marketplace apps, and cloud recording sharing links at the admin level.
- Enable end-to-end encryption, waiting rooms, meeting passcodes, and authenticated-user requirements.
- Train all staff on proper meeting invitation procedures (never include PHI in meeting titles or calendar descriptions sent via non-encrypted channels).
- Audit your website's tracking scripts on any page that links to or schedules Zoom appointments.
- Implement a HIPAA-compliant consent management platform on pages where patients interact with scheduling or telehealth tools. Our comparison of the best HIPAA-compliant CMPs for healthcare marketers can help you choose one.
- Document your Zoom configuration in your HIPAA Security Risk Assessment.
- Establish a breach notification procedure that accounts for Zoom-related incidents (unauthorized meeting access, recording exposure).
Ongoing Maintenance
- Review Zoom's product updates quarterly; new features enabled by default may introduce compliance gaps.
- Re-verify BAA coverage annually and after any plan changes.
- Monitor access logs in the Zoom admin dashboard for anomalous join patterns.
- Conduct periodic audits of recording storage and access permissions.
Compliant Alternatives and Adjacent Tools
Zoom is not the only telehealth-capable platform that offers a BAA. Others in this category include Doxy.me (purpose-built for telehealth), Microsoft Teams (with a signed BAA on qualifying Microsoft 365 plans), and Google Meet (on Google Workspace plans with a BAA). Each has its own configuration requirements, and the same principle applies: a BAA plus correct settings equals conditional compliance.
For the tracking and analytics layer that surrounds your telehealth practice (conversion tracking, website analytics, session replay, form analytics), a separate compliance solution is required. Standard tools like Google Analytics 4 and Meta Pixel are not HIPAA compliant even if you sign a BAA for your telehealth platform, because those tracking tools operate independently and transmit data to third parties without BAA coverage.
Curve (curvecompliance.com) is a HIPAA-compliant tracking and analytics platform built for healthcare marketers. It provides a signed BAA, strips PHI before data leaves your environment, and delivers conversion signals to Google, Meta, and Microsoft through server-side connections that do not expose patient identity. If you run paid media campaigns that drive patients to Zoom-based telehealth appointments, Curve handles the measurement layer so you can optimize campaigns without creating PHI disclosures. It also includes session replay, form analytics, and consent management designed specifically for healthcare websites.
Frequently Asked Questions
Can I use the free version of Zoom for telehealth?
No. The free Zoom Basic plan does not include a Business Associate Agreement, which is required under HIPAA before any vendor can process PHI on your behalf. Using the free plan for telehealth sessions exposes your practice to enforcement risk from HHS OCR. You need at minimum the Zoom Workplace Business plan or the dedicated Zoom for Healthcare plan.
Does signing Zoom's BAA automatically make all my Zoom usage compliant?
No. The BAA establishes Zoom's legal obligations as a business associate, but compliance also requires you to configure the platform correctly (disabling AI features, restricting recordings, enabling encryption) and to train your workforce. A BAA without proper configuration is a legal agreement protecting a non-compliant environment, which will not shield you in an OCR investigation.
Is Zoom's AI Companion covered under the healthcare BAA?
As of mid-2026, Zoom's AI Companion features are generally not covered under the standard healthcare BAA. These features process meeting content through AI models in ways that may not meet HIPAA Security Rule requirements. Disable AI Companion at the admin level for all accounts that handle patient communications. Confirm current coverage status directly with Zoom, as this may change with future product updates.
What happens if a patient joins a Zoom meeting without a passcode or waiting room?
If unauthorized individuals can access a meeting containing PHI, this may constitute a security incident or breach under HIPAA. You would need to conduct a four-factor risk assessment to determine if notification is required. Enabling passcodes and waiting rooms by default prevents this scenario and is a baseline configuration requirement for compliant telehealth use.
Do I need separate compliance for my website's Zoom booking page?
Yes. Your website's booking or scheduling page is a separate compliance surface. If tracking pixels (Meta, Google, TikTok) fire on that page, they may capture PHI by associating a visitor's identity with the intent to receive healthcare services. You need either a HIPAA-compliant analytics platform that prevents PHI transmission, or you must remove all third-party tracking from those pages entirely.
Can I record telehealth sessions on Zoom and remain HIPAA compliant?
Yes, but with strict controls. Recordings must be encrypted, stored in access-controlled environments, protected by unique passwords, and accessible only to authorized workforce members. Disable public sharing links for all recordings. Many compliance officers recommend storing recordings in your own HIPAA-compliant cloud storage (such as an encrypted S3 bucket or compliant EHR-linked system) rather than relying on Zoom's built-in cloud storage, though Zoom's cloud is covered under the BAA if properly configured.
Keep exploring
Related articles
Dental Practice Facebook Ads After Meta 2026 Restrictions: What DSOs and Solo Dentists Can Still Do
Read articleCompounded Semaglutide Advertising Rules: What Clinics Can and Cannot Claim in 2026
Read articleHealthcare Marketing BAA Requirements: When Your Vendors Need Business Associate Agreements
Read articleStay Compliant. Scale Confidently.
Join healthcare innovators who trust Curve for HIPAA-compliant ad tracking.Launch in hours, not months. Your growth stack, now HIPAA-safe.