Note:
In 2021, WSU signed a Business Associate Agreement with Zoom to allow Zoom to be utilized and implemented more efficiently at WSU. Before this change, users needing HIPAA compliance in Zoom were separated from the rest of WSU Zoom in a subaccount with various security settings required by default. This solution posed challenges and had significant limitations for individuals who were conducting HIPAA-compliant Zoom Meetings, but also participated in normal WSU Zoom use (administrative meetings, academic courses, etc).
Data Security Guidance Resources:
Issue:
I have questions on how I can utilize Zoom for HIPAA-compliant workflows, and what security controls are implemented to protect PHI data when using Zoom at WSU.
FAQ:
Q. What do the new HIPAA measures mean for me? Are all my Zoom meetings now HIPAA compliant?
A. All of WSU’s Zoom is now HIPAA compliant for everyone via a BAA (Business Associate Agreement) with Zoom. This means if you are sharing sensitive data (PHI) and follow proper security guidelines (review all FAQ questions and refer to Features and Settings below), your meeting is protected.
Q. Are HIPAA-related security settings turned on for me, or do I need to manage these settings myself?
A. There are two options
- Users are responsible for managing and implementing the security practices and guidelines detailed in this article themselves when using WSU Zoom for HIPAA workflows with their normal WSU Zoom account.
- Users work with their Area IT and Compliance Officers to set up a Managed Health Account in WSU Zoom, where a user is provided a separate login for HIPAA use, security settings for this account are pre-configured, and Area IT or Compliance Officers have access to view, edit, and audit Health Account data in WSU Zoom. This option requires the individual to switch or utilize the appropriate login depending on Zoom use
- When conducting HIPAA-related workflows on WSU Zoom, log in and utilize the Health Account.
- When conducting non-HIPAA workflows on WSU Zoom, log in and utilize their normal WSU Zoom Account.
- To use this option, coordinate with Area IT, your Compliance Officer, and WSU Zoom Support (zoom.support@wsu.edu)
Q. Can I record to my local machine?
A. Yes, you can record locally for normal meetings. If your meeting will need to be HIPAA compliant, the host of the meeting needs to disable the feature. This, and other HIPAA compliance measures, falls under the Endpoint Security Standards.
Q. If medical and counseling providers can cloud record sessions, where are the recordings stored?
A. The recordings are stored on the Zoom Cloud, however, WSU has sole and complete rights and ownership over any PHI stored there.
Q. How long are the cloud recordings stored?
A. Currently, recordings are stored for 365 days, at which point they are automatically deleted.
Q. Are the recordings encrypted?
A. Data in motion is encrypted at the application layer using Advanced Encryption Standard (AES).
Q. Who has access to the cloud recordings?
A. Access control is paramount for recordings with the Zoom services team. Only the three Zoom services administrators have access to recordings, as well as the host of the meeting and anyone the host shares the recording with.
Q. What are the recommended settings for recording, chat, and meetings?
A. If you regularly host HIPAA-compliant meetings, to prevent confusion between your normal meetings and HIPPA-compliant meetings it is strongly recommended you have saving chat and local recordings disabled.
Q. Who should I contact if I have concerns or questions about HIPAA and Zoom at WSU?
A. If you have a privacy officer, please reach out to them. Otherwise, please contact Sally Makamson (smakamson@wsu.edu) and copy ciso@wsu.edu.
Features and Settings
Below are Zoom User settings (https://wsu.zoom.us/profile/setting) that provide additional security when conducting HIPAA-compliant Zoom meetings:
Meeting Security Settings:
- Enable Waiting Room: Require participants to wait in a virtual waiting room before joining meetings, allowing the host to vet participants and control access.
- Require Passcode: Enforce passcodes for all meetings to prevent unauthorized access.
- Disable Join Before Host: Prevent participants from joining meetings before the host arrives to maintain control over meeting access.
Data Sharing and Transmission:
- Disable Remote Control: Disable remote control features to prevent participants from taking control of the host's screen, which could potentially expose PHI.
- Disable Saving Chat: Disable saving chat for local recordings so that PHI data is not stored on a local machine.
- Disable Local Recordings: Disable local recording to prevent recordings containing PHI data from being stored on a local machine (instead of HIPAA-compliant and secure Zoom Cloud Storage).
Participant Management:
- Restrict Screen Sharing to Host Only: Limit screen sharing to the host only to prevent unauthorized sharing of PHI.
- Disable File Transfer: Disable file transfer during meetings to prevent the exchange of PHI-containing files through the Zoom platform.
AI Companion Settings:
- Meeting summary with AI Companion: "Automatically share summary with" should have the 'Only me (meeting host)' option selected, allowing the host to maintain control of the data in the summary.