Is Zoom HIPAA Compliant for Small Clinics?

The short answer

Zoom can be used for HIPAA-covered activity, but only on a healthcare-oriented plan with a signed Business Associate Agreement. Free, Pro, and personal tiers do not qualify. Even on a covered plan, the clinic still owns meeting configuration, recording storage, and retention decisions. Treat Zoom as one contracted vendor among many, not as a turnkey compliance solution.

What Zoom’s BAA actually covers

Zoom markets a healthcare-specific offering and will execute a BAA for qualifying customers. The BAA scopes the product features Zoom agrees to treat as covered services. In practice that usually includes Zoom Meetings and related telehealth-facing features. It does not automatically extend to every Zoom product surface. If a clinic plans to use Zoom Phone, Zoom Chat, Whiteboard, AI Companion features, or third-party marketplace apps for PHI-adjacent work, each of those must be confirmed in writing.

Zoom updates packaging frequently. A plan that included a BAA two years ago may have different terms today. Read When a vendor needs a BAA before signing anything, and verify the current BAA scope with Zoom’s sales team at time of purchase.

Plan requirements

At a minimum, a clinic should:

• Buy Zoom through the healthcare offering, not self-serve upgrade from a free account.
• Request and countersign the BAA before the first PHI-bearing meeting.
• Confirm in writing which products and features the BAA covers.
• Document the Zoom contract in the clinic’s vendor inventory.

If a salesperson tells you “Zoom is HIPAA compliant” without producing a BAA, that is not a yes. HIPAA compliance is a contractual and operational posture, not a checkbox on a feature sheet.

Real-world configuration caveats

A signed BAA does not fix any of the following. These are the settings that actually cause problems during an audit or a complaint.

Personal Meeting IDs (PMI). Reusing a PMI for patient visits means the same link can be reshared, joined by the wrong person, or screenshot and reposted. Use per-meeting IDs with passcodes for patient-facing calls.

Waiting rooms and authentication. Waiting rooms should be on by default for any meeting where PHI might be discussed. Authentication options should match the clinic’s access policy.

Recording storage. Cloud recordings live in Zoom’s storage under the BAA’s scope. Local recordings saved to a clinician laptop usually do not live inside any BAA’d environment, and they are hard to retrieve, audit, or destroy on schedule. Pick one path and enforce it.

Chat transcripts. In-meeting and persistent chat can become a PHI surface fast. Messages like “patient DOB is…” end up stored, exported, and forwarded. Decide whether chat is in scope for clinical work or explicitly off-limits, and train staff to match.

Third-party integrations. Marketplace apps, transcription bots, and AI note-takers often sit outside the Zoom BAA. If a bot joins a visit, that bot’s vendor needs its own BAA or the bot should be blocked.

When Zoom is the wrong tool

Zoom is a telehealth and meeting product. It is not a compliance program, a task tracker, or an incident log. If the problem is “our clinic needs a system of record for compliance work, training attestations, vendor BAAs, and corrective actions,” Zoom does not solve that. Pair Zoom for visits with a dedicated compliance operating system. See PHI in scheduling and intake forms for adjacent risks, and the PHIGuard comparison for how clinics structure the rest of their stack.

Bottom line

Zoom is HIPAA-compatible on the right plan, with the right paperwork, and with disciplined configuration. Free Zoom is never an option for PHI. The BAA is necessary and insufficient; the clinic still owns the settings, storage, and staff behavior that determine whether Zoom use is actually safe.

For an adjacent vendor evaluation, see Is Typeform HIPAA compliant?.