Zoom’s popular video conferencing under scrutiny for privacy reasons. Is it still HIPAA-compliant?
Zoom’s video chat service has exploded in popularity in the wake of social distancing and infection mitigation measures necessitated by COVID-19. It supports multiple users, is easily sharable, and generally reliable as a service. It’s also one of a few providers that devote significant marketing to the healthcare space, advertising, for a fee, a HIPAA-compliant service with a business associate agreement (BAA) included. But with increased attention comes increased scrutiny for Zoom’s claims of privacy and security.
A 3/31/20 report in The Intercept revealed that Zoom has misleadingly marketed its video service as supporting end-to-end encryption–which, if Zoom’s claim had been true, would have been a clear win for users needing airtight security (such as those handling PHI). The report revealed that Zoom’s video chat service only supports TLS encryption, despite marketing materials clearly stating otherwise. After Zoom initially defended its unique definition of “end-to-end” encryption, a follow-up in The Guardian indicated that Zoom later conceded and “apologized” for the “confusion.” As of this writing, Zoom still hosts a whitepaper, “HIPAA Compliance Guide,” that states its videoconferencing services support end-to-end encryption (E2EE). It is unclear what changes may be made to that document in the near future.
Is Zoom HIPAA-Compliant?
In light of recent revelations, clinicians and health researchers now must ponder whether Zoom (or a variety of other video conferencing providers, for that matter) remains HIPAA-compliant, even if it does not support E2EE. According to known information now, Zoom’s service still can be HIPAA-compliant, but that depends on how the service is used. As we recently explained, a HIPAA-compliant videoconferencing service has two major requirements:
- sufficient means of ensuring secure communication (e.g., encryption in transit), and
- an executed BAA.
So then, is Zoom’s encryption sufficient for HIPAA compliance?
Basics: Ensuring Zoom’s Encryption Feature is Enabled
Zoom states that its encryption functionality is enabled by default for video meetings. In the desktop application, a green lock icon will appear in the upper left hand corner when encrypted connection is enabled. Hovering over the icon will reveal a tool tip that confirms, “Your client connection is encrypted.” See the screenshot below:
Thus, to ensure that communications are encrypted with TLS encryption, users must verify encryption is actually enabled. If it is not, there is a very strong argument that use of the service is not HIPAA-compliant.
E2EE Versus TLS Encryption: What’s the Difference?
The Intercept piece provides a good explanation on the reason why falsely advertising E2EE is such a big deal as a general principle. The main problem lies in the possibility of non-user access to users’ communications. True E2EE is the best form of cryptography–in principle, no one other than the persons communicating can ever decipher the communication, even if it were intercepted in transit. On the other hand, TLS encryption works a bit differently in a way that can give the service provider access to the conversation. In the case of Zoom, the video feed from a user to Zoom’s servers is encrypted with TLS (as indicated above). Zoom receives that feed and, in theory, has access to the information. Zoom then encrypts the video feed again via TLS as it is distributed to other intended users in the conversation. Thus, while the Zoom encryption feature is enabled, it is very unlikely that it could be intercepted by an outside party who is not an intended user or Zoom; however, Zoom itself could theoretically access the video feed. That’s where the BAA becomes essential for compliance.
Importantly, the Department of Health and Human Services has issued guidance on the use of TLS encryption specifically. That guidance provides,
Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated.
The NIST Special Publication 800-52, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations, further states,
Transport Layer Security (TLS) protocols are used to secure communications in a wide variety of online transactions, such as financial transactions (e.g., banking, trading stocks, e-commerce), healthcare transactions (e.g., viewing medical records or scheduling medical appointments), and social transactions (e.g., email or social networking). Any network service that handles sensitive or valuable data, whether it is personally identifiable information (PII), financial data, or login information, needs to adequately protect that data. TLS provides a protected channel for sending data between a server and a client.
Thus, Zoom’s use of TLS encryption (if there are not any major misstatements of fact or flaws in its use) is an accepted method of securing communications for purposes of compliance with HIPAA.
Zoom states that when healthcare clients pay $200 for the healthcare-focused service, that will provide access to the BAA. Its marketing further states,
“Once a BAA is signed with Zoom, the following will be enacted on your Zoom account:”
1. The setting Require Encryption for 3rd Party Endpoints (H323/SIP) will be enabled for all members of your account
2. Cloud Recording will be disabled.
3. Remove device/user information in logging and reportinghttps://support.zoom.us/hc/en-us/articles/207652183-HIPAA-Business-Associate-Agreement-BAA-
Unfortunately, Zoom’s BAA is not publicly available. The critical component of the BAA must be a provision ensuring that the service provider will not access and use the PHI (the video feed, if PHI is discussed) for anything other than permitted purposes. Thus, if Zoom were to access the information for its own marketing purposes, that would be a clear violation of the the BAA and would render the service non-compliant. Have your legal counsel review any BAA in the context of your operations, use and handling of PHI, and the manner in which you intend to use the videoconferencing service.
- Know – If you use Zoom or any other videoconferencing service to discuss PHI, ensure that you understand the methods it uses to secure information in transit.
- Zoom can still be HIPAA-compliant if 1) encryption features are enabled and 2) a signed BAA is executed with the video conferencing provider.
- Enable Encryption – Make sure that encryption features are enabled. In Zoom, look for a green lock and tool tip that confirms encryption is enabled. Always set a meeting password.
- Good enough – End-to-end encryption is best, but TLS is acceptable and HIPAA-compliant according to DHHS.
- Double Check the BAA – Ensure the BAA provides that the only purposes for accessing the video feed are for ensuring the availability of the service and for the healthcare operations of the end-users.
Have questions about this or another legal issue? Contact us today for a free consultation.
Copyright 2020 Bush Health Law PLLC. All rights reserved.
This writing is for general reference and is not intended, by itself, to create an attorney-client relationship or offer legal, accounting, or other professional advice.