Zoom Privacy and Security
Zoom and Privacy
The ability to maintain privacy and protect user data is a top priority for any conferencing solution. Zoom's Privacy Policy is posted online and stresses Zoom's commitment to collect and utilize only such information as will be needed to provide the service, and to never sell that data to third-party vendors.
Some of the information collected and stored by Zoom, such as your job title or departmental affiliation, has to be entered manually by you in your Account Profile, but you can just as easily choose to leave these fields blank and still have access to the service for all your needs.
VCU Zoom versus "Personal" Zoom
The Privacy Policy linked above outlines the protections extended to users who acquire an account directly from the Zoom company website, but users on the VCU Zoom account are granted additional protections. You are strongly encouraged to use your VCU Zoom account to conduct any university-related business, collaboration or instruction. If you have a VCU eID, you can acquire an account by logging in at vcu.zoom.us (Hospital personnel need to obtain their account at vcuhealth.zoom.us with their "@vcuhealth.org" credentials).
Keeping Your Meeting Private
VCU's Information Security Office has assembled a very helpful guide to keeping your meetings private and secure.
Informative articles about using and securing your Zoom meetings can be found on Zoom's company blog.
HIPAA Compliance
The Health Insurance Portability and Accountability Act (HIPAA) lays out privacy and security standards that protect the confidentiality of patient health information. In terms of video conferencing, the solution and security architecture must provide end-‐to-‐end encryption and meeting access control so the data in transit cannot be intercepted.
The general requirements of the HIPAA Security Standards state that covered entities must:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
- Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the privacy regulations.
- Ensure compliance by its workforce.
Zoom is HIPAA Compliant
Zoom Video Communications is HIPAA compliant. We sign the HIPAA Business Associate Agreement (BAA) for healthcare customers, meaning we are responsible for keeping your patient information secure and reporting security breaches involving personal healthcare information. We do not have access to identifiable health information and we protect and encrypt all audio, video, and screen sharing data.
How Zoom Supports HIPAA Compliance
The following table demonstrates how Zoom supports HIPAA compliance based on the HIPAA Security Standards rule published in the Federal Register on February 20, 2003 (45 CFR Parts 160, 162 and 164 Health Insurance Reform: Security Standards; Final Rule).
HIPAA Support Matrix
HIPAA Standard |
How Zoom Supports the Standard |
Access Control | |
|
|
Audit Controls | |
|
|
Integrity | |
|
|
Person or Entity Authentication | |
|
|
Transmission Security | |
|
|
Security and Encryption
Only members invited by account administrators can host Zoom meetings in accounts with multiple members. Hosts control meeting attendance through the use of meeting IDs and passwords. Each meeting can only have one host. The host can screen share or lock screen sharing. The host has complete control of the meeting and meeting attendees, with features such as lock meeting, expel attendees, mute/unmute all, lock screen sharing, and end meeting. Zoom HIPAA Compliance Guide, January 2015 Zoom employs industry-standard end-to-end Advanced Encryption Standard (AES) encryption using 128- bit keys to protect meetings. Zoom encryption fully complies with HIPAA Security Standards to ensure the security and privacy of patient data.
Screen Sharing in Healthcare
Medical professionals and authorized healthcare partners can use Zoom’s screen sharing, and video and audio conferencing to meet with patients and other healthcare professionals and screen-share health records and other resources. Zoom does not distribute the actual patient data. Screen sharing transmits encrypted screen capture along with mouse and keyboard strokes only, not the actual data. Zoom further protects data confidentiality through a combination of encryption, strong access control, and other protection methods.
HIPAA Certification
Currently, the agencies tasked with certifying health technology – the Office of the National Coordinator for Health Information Technology and the National Institute of Standards and Technology – do "not assume the task of certifying software and off-the-shelf products" (p. 8352 of the Final Security Rule) or accredit independent agencies that do HIPAA certifications. Additionally, the HITECH Act only provides for testing and certification of Electronic Health Records (EHR) programs and modules. Thus, as Zoom is not an EHR software or module, our type of technology is not certifiable by these unregulated agencies.