Is Zoom HIPAA Compliant? What Medical Practices Need to Know
TLDR
Yes, Zoom can be HIPAA compliant — but only with a Business Plus or Enterprise plan, and only after you explicitly request and sign a BAA. Free, Pro, and Business plans offer no BAA and cannot touch protected health information. Even a fully configured HIPAA-compliant Zoom account covers your video calls; the tasks, follow-ups, and action items from those calls still need a separate HIPAA-compliant tool.
The Short Answer
Zoom can be HIPAA compliant, but the conditions are specific. You need a Business Plus or Enterprise plan — the free, Pro, and standard Business tiers are not eligible for a BAA. And upgrading your plan alone is not enough: you have to explicitly contact Zoom and request a signed Business Associate Agreement before using the platform for any visit that involves protected health information.
That’s a meaningful distinction. A practice that upgrades to Business Plus but never signs a BAA is still out of compliance, even though they’re paying for a tier that technically supports it.
What Zoom Covers (and Doesn’t) for HIPAA
A properly configured HIPAA-compliant Zoom account covers video calls. That’s the core function, and it does it well. Telehealth visits, consultations with specialists, and internal case discussions — those are the use cases Zoom’s BAA addresses.
What it does not cover is everything that happens before and after the call.
Before a visit: coordinating intake tasks, assigning staff responsibilities, tracking which forms have been completed. After a visit: follow-up action items, care coordination tasks, referral tracking. Zoom has no task management layer. The BAA Zoom signs covers the call itself; it says nothing about a task list you’re running in Asana or a patient note someone left in a Google Doc.
Cloud recording adds another layer of complexity. If you record telehealth visits, those recordings contain PHI. Where they’re stored, who can access them, and how long they’re retained all fall under HIPAA — and Zoom’s default cloud storage settings may not satisfy those requirements without additional configuration on your end.
The PHI Risk in Practice
Consider a typical morning in a small clinic. The provider finishes a telehealth visit on Zoom Business Plus with a signed BAA. Fine. Then the front desk coordinator creates a follow-up task in a shared Asana workspace: “Patient Martinez — confirm cardiology referral by Thursday.” That task is PHI. If Asana isn’t covered by a BAA, the practice just created a compliance gap, regardless of what Zoom is configured to do.
This is the fragmentation problem. A HIPAA-compliant video platform doesn’t make the rest of your operations compliant. A patient’s name in a task title, a lab result attached to a comment, a staff member forwarding action items to a personal email — any of those can be a violation, and none of them involve Zoom.
What Small Practices Actually Need
For video calls: Zoom Business Plus with a signed BAA is a reasonable option, particularly if your practice already uses Zoom and your staff is familiar with it. The per-user cost at approximately $20.83/user/month (billed annually) is manageable if you’re only licensing it for providers rather than all staff.
For everything else — task assignment, follow-up tracking, compliance documentation — you need a separate tool with its own BAA. That’s where the compliance picture for most small practices breaks down. They solve the video call problem and assume they’re done.
We built PHIGuard because that gap is where violations actually happen. The telehealth call gets covered; the twenty tasks surrounding it do not. PHIGuard starts at $20/month flat for up to 10 staff with a BAA included at every tier, no per-user fees.
Who Should Use Zoom for HIPAA / Who Should Look Elsewhere
Zoom Business Plus makes sense for practices that conduct telehealth visits regularly, have IT staff or a compliance officer who can manage BAA procurement and recording configuration, and want to stick with a platform their providers already know.
If your practice is running more than 15 users, the per-user pricing on Zoom adds up fast. A five-provider, ten-staff practice paying for Business Plus for all 15 people is looking at roughly $3,750/year just for video conferencing — before you address task management.
If you’re a small practice trying to get HIPAA-compliant operations sorted without a dedicated IT person, the two-platform gap (video plus task management, each with its own BAA, each with its own configuration requirements) is a real administrative burden. Building a checklist of what each BAA actually covers, and confirming your full operation is enclosed within those agreements, takes time that most practice administrators don’t have to spare.
Like what you're reading?
Try PHIGuard free — no credit card required.
- Business Associate Agreement (BAA)
- A required contract under HIPAA between a covered entity (your practice) and any vendor who handles protected health information on its behalf.
DEFINITION
- Telehealth
- The delivery of healthcare services via telecommunications technology, including video conferencing. HIPAA applies to telehealth the same as in-person care — any PHI exchanged during a video visit must be handled by a covered, BAA-signed platform.
DEFINITION
Q&A
Is Zoom HIPAA compliant?
Zoom is HIPAA compliant on Business Plus (approximately $20.83/user/month billed annually) and Enterprise plans only, and only after a BAA is explicitly requested and signed. Free, Pro, and standard Business plans cannot lawfully be used with protected health information.
Q&A
What changes when Zoom is used in HIPAA mode?
HIPAA-configured Zoom accounts may have restrictions on cloud recording, automated transcription, and certain third-party app connections. Recording and transcript files must be stored and handled in a HIPAA-compliant manner separate from Zoom's default settings.
Q&A
What is a cheaper HIPAA-compliant alternative to Zoom for practice task management?
Zoom covers video calls — it does not replace task management. PHIGuard starts at $20/month flat for up to 10 staff with a BAA at every tier, covering the task tracking and compliance documentation that sits alongside your Zoom calls.
Want to learn more?
Is Zoom HIPAA compliant?
What tier of Zoom supports HIPAA?
What is a BAA and why does my practice need one?
What features does Zoom restrict for HIPAA?
Are there cheaper HIPAA-compliant alternatives for practice task management?
Keep reading
Best Asana HIPAA Alternative for Medical Practices
Looking for an Asana alternative that handles HIPAA without degrading features? PHIGuard is built for small clinics — $20/mo flat, BAA included, audit-ready from day one.
Best HIPAA Compliance Software for Small Medical Practices (2026)
We compared the top HIPAA compliance tools for small practices. These are the ones that deliver real value — and the ones that are overpriced for what small clinics actually need.
What Is a Business Associate Agreement (BAA)? HIPAA Explained
A Business Associate Agreement (BAA) is a HIPAA-required contract between your medical practice and any vendor handling patient data. Without one, you're exposed.
Is Slack HIPAA Compliant? What Medical Practices Need to Know
Slack is HIPAA compliant only on Enterprise Grid — custom pricing with a 250+ seat minimum that makes it inaccessible to small clinics. Here's what that means for your practice and what alternatives exist.