PHI in Zoom Meetings

Zoom is usually not the problem during a telehealth visit. The live video session is encrypted in transit and the doctor and patient control what is shared. The exposure shows up in everything Zoom does around the session: recordings, chat, transcripts, integrations, and cloud storage. That is where PHI escapes the meeting and ends up in places the clinic does not inventory.

BAA and plan eligibility

Zoom will sign a BAA on eligible paid plans. The Healthcare plan is the standard path, and Zoom documents its HIPAA configuration on its HIPAA compliance page. Two rules follow from this.

First, a free Zoom account or a basic paid plan without a signed BAA must not carry PHI. It does not matter that the video is encrypted. Without a BAA, Zoom is not a permitted business associate for that data.

Second, the BAA only covers the services listed in its scope. Every practice should keep a copy of its executed BAA and know which features are in scope. If a feature is not in scope, it must not be used for PHI. See Covered Entity vs Business Associate for the underlying requirement.

Where PHI actually leaks

Recordings

Cloud recordings are the single highest-risk Zoom artifact in a clinic. A 45-minute consult recording is a durable ePHI file. It will sit in Zoom cloud storage, often gets downloaded by a staff member, and sometimes ends up on a shared drive or in an email attachment. Controls to apply:

• Disable cloud recording by default, enable only for specific use cases.
• If recording is required, restrict who can start it and who can download it.
• Set an automatic retention and deletion window.
• Do not move recordings into non-BAA storage.

In-meeting chat

Chat messages sent during a Zoom meeting are often saved to the host’s local device or to the cloud transcript. Staff routinely paste patient names, MRNs, or phone numbers into chat during a visit. That content becomes ePHI the moment it is written. The safest posture is to disable in-meeting chat or restrict it to host-only for clinical meetings.

AI summaries and transcripts

Zoom’s AI features generate transcripts and summaries. These outputs are ePHI if the underlying conversation referenced a patient. Treat them as you would EHR notes. Confirm they are in BAA scope, turn them off where they are not required, and apply a retention policy.

Integrations

Third-party apps installed in the Zoom marketplace (scheduling tools, note-takers, CRM connectors) can read meeting metadata, participants, chat, and recordings. Each integration is a new business associate relationship. Either the vendor signs a BAA or the integration does not touch PHI. This is the same vendor-management discipline covered in PHI in CRM Records.

Settings to lock down

A short checklist clinics can apply account-wide:

• Require waiting rooms and authenticated users for clinical meetings.
• Disable cloud recording and local recording by default.
• Disable in-meeting chat and private chat for clinical workflows, or limit to host.
• Disable AI features unless explicitly authorized and in BAA scope.
• Require meeting passcodes and end-to-end encryption where available.
• Review and remove unused marketplace integrations.
• Confirm data center region settings align with the practice’s data-residency expectations.

Zoom surfaces most of these under account-level admin settings. A compliance owner should review them at least quarterly.

Workforce training

Most real incidents come from staff habit, not configuration. Recurring training topics to cover:

• Do not use personal Zoom accounts for patient interactions.
• Do not paste identifiers into chat.
• Do not record a session unless the patient has consented and recording is clinically required.
• Do not download a recording to a personal device.
• Do not screenshot a session for a coworker. Use the proper system of record.

If coordination around a patient is happening outside the meeting too, move that discussion out of Zoom chat and into a system with access control and an audit trail. That is the same principle discussed in PHI in Slack DMs.

The bigger pattern

Every communication tool in a clinic has a version of this problem. The session itself is defensible. The exhaust (chat, transcripts, recordings, integrations, notifications) is where PHI leaks. Narrowing that exhaust is the job. Where coordination, follow-up, and assignment work currently lives inside meeting tools, a dedicated clinic platform with a BAA at every tier closes the loop. See /hipaa for the approach.