Is Loom HIPAA Compliant?

Loom is an asynchronous video messaging tool used for software demos, staff training recordings, and internal communication. The HIPAA question with Loom turns on the content of the videos, not Loom’s security posture.

Note: Loom was acquired by Atlassian in 2023. BAA availability, if any, is now managed through Atlassian’s enterprise agreements. Contact Atlassian directly to confirm current BAA availability before using Loom for any PHI-containing content.

Loom’s HIPAA Posture

As of this verification date, Loom does not publicly advertise a HIPAA Business Associate Agreement on standard or Business plans. Atlassian’s enterprise products (Jira, Confluence) have HIPAA coverage available in some configurations. Loom’s enterprise BAA posture should be confirmed directly with Atlassian.

Atlassian enterprise agreements are priced for large organizations. Small clinics (3-50 staff) are unlikely to obtain HIPAA coverage through Atlassian enterprise pricing at a reasonable cost. Keep PHI out of Loom entirely.

When Loom Creates HIPAA Risk

The risk with Loom is content-driven. When a video contains PHI, that file is PHI in a system with no BAA. This applies to:

Training Videos With Real Patient Data

A training video that shows a real patient’s record, even momentarily, to demonstrate how to document a visit or use a billing code is a video containing PHI. The same applies to:

• Screenshots from actual patient charts in EHR walkthroughs
• Audio that mentions real patient names in a clinical context
• Video that shows a patient’s face or identifiable features

The fix: Use entirely fictional patient data in training videos. Create a clearly labeled test record in your EHR with synthetic identifiers and use only that non-real record for training recordings.

Clinical Documentation and Review

If providers record a Loom video walking through a patient’s case for a colleague’s review (“here’s [Patient Name]‘s chart from today’s visit”), that video contains PHI. This pattern sometimes develops when providers want to share clinical context asynchronously.

Blurred or “Anonymized” Content

Blurring real patient data in a video does not constitute de-identification under HIPAA’s safe harbor standard. If the diagnosis, provider name, visit date, and clinical context in the video could allow a viewer familiar with the patient to re-identify them, the information remains PHI.

Safe Uses of Loom in a Clinic Setting

Loom is useful and HIPAA-compatible for content that contains no PHI:

• Software and process walkthroughs using fictional test patient data
• HIPAA training content explaining concepts, policies, and procedures without real patient examples
• Operational updates (scheduling changes, policy updates) that don’t reference specific patients
• Vendor evaluation demos showing a product to the team without patient data in the demo environment

Apply this test to any Loom video: does the recording contain information that relates to a specific patient’s health, healthcare, or payment for care? If yes, use a HIPAA-eligible alternative. If no, Loom is appropriate for that content.

Alternatives for PHI-Containing Video Needs

For video content that will or may contain PHI:

• Telehealth visits: Use a HIPAA-eligible telehealth platform with a BAA (Webex for Healthcare, Zoom for Healthcare with appropriate configuration, Doxy.me, etc.)
• Clinical case consultation: Use a HIPAA-eligible secure messaging or video platform
• Training videos with real clinical content: Obtain a BAA-covered video hosting platform, or restructure the content to use fictional data

For most small clinics, the clearest rule is: Loom is for non-PHI content only. Any content involving real patient information goes through a BAA-covered system.