Zoom HCC Disclaimer

When using Zoom you have the potential to discuss sensitive data, including personal health information (PHI). Zoom is a secure tool, but you must use it appropriately to ensure HIPAA compliance.

Secure Your Space Before Your Meeting

Unless the situation requires it, you should always prepare your space to prevent the exposure of sensitive information.

BEFORE your meeting:

  • Check the area around you for visible PHI. This could include documents on your desk or items behind you.
  • Ensure your online meeting takes place in a secure area where other people cannot overhear you discuss PHI.
  • Close all other computer windows before you begin your meeting so that only the window you want to share is visible.

PHI can be recorded when necessary, but use caution

Recently, Zoom Cloud Recording was approved for use within the Health Care Component (HCC). As a result, you may utilize Zoom to record PHI in situations that require it, but it is not recommended.

Zoom is a temporary storage solution and you should observe all standard best practices around the recording and storage of PHI. We recommend Box Secure Storage as the preferred method of retention for recordings containing PHI.

If you have questions about whether or not you can record a meeting, email the Health Information Compliance & Privacy Office at [email protected]

Interactive tools must not transmit PHI unless the situation requires it

You have access to various tools in Zoom’s online meetings and webinars:

  • Chat
  • Polls
  • Screensharing and annotation
  • Question and Answer tools
  • Reactions
  • Recording
  • Breakout Rooms

While these tools make meetings and webinars more interactive for your participants, they must not be used to transmit PHI unless the situation requires it.

Be aware of who is in your meeting

Inviting people to your Zoom meeting is as easy as sharing a link. Always be aware of who is in your meetings by reviewing the list of participants.

Schedule Zoom meetings without PHI

Zoom and Google Calendar make scheduling online meetings easy, but don’t forget to check for PHI. Review meeting titles and descriptions and verify that they don’t contain PHI (remember, even initials of patient or participant names are PHI!)

If you have a specific situation that isn’t covered here, or if you need some guidance, please reach out to us at [email protected].

Mitigating factors and controls

Learn more about features that are unavailable, or have been modified to help you mitigate risks surrounding the potential exposure of PHI.