Is Zoom a HIPAA Compliant Telehealth Software?
According to the Families First Coronavirus Response Act passed on March 18th, 2020, congress requires payers to cover telehealth visits (with health care providers) that relate to COVID-19 testing, treatment, and consultations during the public health emergency. Reimbursement for telehealth solutions during this time is being provided for all patients, not only those with Medicare. During the COVID-19 pandemic, many healthcare professionals are scrambling to find easy-to-use video conferencing platforms such as Zoom.
HHS has created new guidelines on HIPAA requirements and modified HIPAA’s Privacy Rule, which stated that healthcare organizations must use only secure methods of communication for telehealth visits. The Office for Civil Rights said that videoconferencing services normally not permitted under HIPAA may now be used by healthcare professionals for the good faith provision of telehealth solutions. This change in policy allows video conferencing platforms such as Zoom to be used during this time of crisis.
The Coronavirus pandemic has resulted in an increase in healthcare organizations leveraging video conferencing apps. In the past month, Zoom has become one of the most popular choices for teleconferencing, registering a 535% increase in traffic. Previously Zoom has maintained that they provide a HIPAA compliant telehealth software: Zoom for Telehealth. This service claims to incorporate access and authentication controls, HIPAA compliant messaging is secured with end-to-end encryption and Zoom has signed a HIPAA Business Associate Agreement (BAA).
During the last few weeks, there have been several security concerns surrounding Zoom. It has been reported that the company does not have end-to-end encryption as they previously claimed. This discovery makes Zoom decidedly NOT HIPAA compliant.
If healthcare providers want to ensure that patient privacy is respected, they should reconsider the use of Zoom as a HIPAA compliant telehealth software. Aside from the lack of end-to-end encryption, additional security concerns include videoconference hijacking, user data being shared with third parties such as Facebook, and lapses in security that make Zoom vulnerable to cybercriminals and malware. While Zoom is willing to sign a BAA, which is a crucial step towards achieving HIPAA-compliance, there are too many security issues preventing HIPAA-compliance. Until these issues are fully resolved, we do not recommend Zoom as a HIPAA compliant telehealth software.